9

How can I handle the security of web frameworks like django on github or any other public domain version control site.

The settings.py can and will often contain sensitive database information, passwords and secret keys, which must not be uploaded on the repository and in plain view.

What is the common practice and least hassle way of handling that?

Improve this question
1
  • 2
    There are many tutorials on this very subject but Twelve-Factor app is considered one of the best frameworks for software development. Commented Jul 11, 2017 at 5:11

4 Answers 4

Reset to default
6

As @Selcuk mentions, the 12 Factor App provides a nice guideline on how to protect and isolate your sensitive info.

In another answer here: Django settings: raise KeyError, raise ImproperlyConfigured or use defaults?
I explain the method I tend to use in order to be as close as possible to the 12 Factor guidelines.
In sort:

  1. Create a .env or .ini file with your project variables in it:

    DB_USERNAME=myDB
DB_PASSWORD=for_your_eyes_only
DEBUG=False
MY_DJANGO_KEY=no_peeking_this_is_secret
...
  2. Add .env and .env.* or .ini and .ini.* on your .gitignore file, thus protecting your sensitive info from been uploaded to github.
  3. Create a env.example (be careful not to name it with a . in the beginning, because it will get ignored). In that file you can put an example of the expected configuration in order to be re-producible by simply copy, paste, rename to .ini or .env.

  4. Use decouple.config to read your config file:

    on settings.py

    from decouple import Csv, config

DEBUG = config('DEBUG', cast=bool, default=True)
SECRET_KEY = config('MY_DJANGO_KEY')
...
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

After some digging this method worked quite well. Thanks. Here are some reference links that I used to get a final product: link 1 link 2
0

I generally use different settings.py for each stage (development, testing and prodcution). The only one that I keep on a version control is the one corresponding to development. The other settings.py are internal and, when required, they are copied to each instance of the server (testing and production).

Hope this helps.

Improve this answer

Comments

0

Easy answer: Add it to your .gitignore. That said, if you're intending to share your Django app, you'll want to provide at least the parts you edited for your app .

Improve this answer

Comments

0

Password and sensitive infos are stored in my case in individual settings dev_settings.py and prod_settings.py both files are in .gitignore. In settings.py I can switch between them via Environment like this :

DEV_SETTINGS = '_XXXXX_'

if os.environ.get('PROJECT_NAME_PROD', 'NO') == 'YES':
    from project.prod_settings import *
else:
    from project.dev_settings import *

With this you can still have your settings.py in the repository.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.