How can I handle the security of web frameworks like django on github
or any other public domain version control site.
The settings.py
can and will often contain sensitive database information, passwords and secret keys, which must not be uploaded on the repository and in plain view.
What is the common practice and least hassle way of handling that?
As @Selcuk mentions, the 12 Factor App provides a nice guideline on how to protect and isolate your sensitive info.
In another answer here: Django settings: raise KeyError, raise ImproperlyConfigured or use defaults?
I explain the method I tend to use in order to be as close as possible to the 12 Factor guidelines.
In sort:
Create a .env
or .ini
file with your project variables in it:
DB_USERNAME=myDB
DB_PASSWORD=for_your_eyes_only
DEBUG=False
MY_DJANGO_KEY=no_peeking_this_is_secret
...
.env
and .env.*
or .ini
and .ini.*
on your .gitignore
file, thus protecting your sensitive info from been uploaded to github.env.example
(be careful not to name it with a .
in the beginning, because it will get ignored). In that file you can put an example of the expected configuration in order to be re-producible by simply copy, paste, rename to .ini or .env
.Use decouple.config
to read your config file:
on settings.py
from decouple import Csv, config
DEBUG = config('DEBUG', cast=bool, default=True)
SECRET_KEY = config('MY_DJANGO_KEY')
...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With