Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django Projects and git

How can I handle the security of web frameworks like django on github or any other public domain version control site.

The settings.py can and will often contain sensitive database information, passwords and secret keys, which must not be uploaded on the repository and in plain view.

What is the common practice and least hassle way of handling that?

like image 709
addohm Avatar asked Jul 11 '17 02:07

addohm


1 Answers

As @Selcuk mentions, the 12 Factor App provides a nice guideline on how to protect and isolate your sensitive info.

In another answer here: Django settings: raise KeyError, raise ImproperlyConfigured or use defaults?
I explain the method I tend to use in order to be as close as possible to the 12 Factor guidelines.
In sort:

  1. Create a .env or .ini file with your project variables in it:

    DB_USERNAME=myDB
    DB_PASSWORD=for_your_eyes_only
    DEBUG=False
    MY_DJANGO_KEY=no_peeking_this_is_secret
    ...
    
  2. Add .env and .env.* or .ini and .ini.* on your .gitignore file, thus protecting your sensitive info from been uploaded to github.
  3. Create a env.example (be careful not to name it with a . in the beginning, because it will get ignored). In that file you can put an example of the expected configuration in order to be re-producible by simply copy, paste, rename to .ini or .env.
  4. Use decouple.config to read your config file:

    on settings.py

    from decouple import Csv, config
    
    DEBUG = config('DEBUG', cast=bool, default=True)
    SECRET_KEY = config('MY_DJANGO_KEY')
    ...
    
like image 101
John Moutafis Avatar answered Sep 17 '22 18:09

John Moutafis