On 5/11/2020 1:54 am, Kegan Ronholt wrote: > What is the best practice for hiding SECRET key in settings.py in > production. I am finding all sorts of different ways to do it, but > none seem to work.
I keep it in a file left out of the repository but in a "standard" location known to the web server. I have a simple utility to read the file into a list and just use a list item as the secret key. I like it because there are typicaly half a dozen different secrets per project. They include database credentials, email server details, captcha keys and so on. It is handy having a system to get all such stuff without needing to store it unsafely. I also like using the top few lines for credentials and lower lines for comments. My standard location for such files includes a directory name based on project name established in the settings so I don't have to think too hard to manage credentials of any sort when creating new projects. My view is that the only way secrecy can be compromised is if the server itself is pwned. At that point you have to start again anyway. Cheers Mike > > > -- > You received this message because you are subscribed to the Google > Groups "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to django-users+unsubscr...@googlegroups.com > <mailto:django-users+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- Signed email is an absolute defence against phishing. This email has been signed with my private key. If you import my public key you can automatically decrypt my signature and be sure it came from me. Just ask and I'll send it to you. Your email software can handle signing. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au.
