I waited a while to answer this, and my answer comes in three distinct parts.
#--------------------- Question: what is the danger is using environment variables to hold secret info? Answer: The Django runtime will dump secret info from environment variables into an HTTP response, in some circumstances. Once secret info is in an HTTP response on the open internet, the secrecy is compromised. As far as I know, the Django runtime will never dump the contents of the settings object into an HTTP response. The defense of environment variables, as described in this thread are all vulnerable to human error. Except possibly the one by Mike DeWhirst. The human error is as simple as this: On Elastic Beanstalk, git checkout DEBUG_branch eb use PRODUCTION_environment eb deploy #--------------------- Question: what did I mean by "github security" as protection for secret information stored in a plaintext file in the github repository? Answer: There are two ways to access a file in a private github repository. One way is through hacking my password, and the other is by breaching the protection that github applies to keep a private repository private. My github password is random and has more than 120 bits of entropy. In practical terms, is is safe from brute-force hacking. As for the methods that github uses to keep a repository private, I have no specific information. But I take it on faith that smart people have thought about it; and that's what I mean by "trusting github security". #--------------------- Lastly, I'm not trying to persuade anybody of the one true way to do things. Every method of storing secrets has strengths and weaknesses. I have an opinion: using environment variables is more dangerous than generally believed, and, in my opinion, keeping secrets in plaintext in the repository is less dangerous than generally believed. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5e34a2a5-e226-4688-9d53-d5151bb741be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
