Find more articles in our new Python Knowledge Base

SECRET_KEY published

A secret key has to be be kept secret. Make sure it is only used in production, but nowhere else. Especially, avoid committing it to source control. This increases security and makes it less likely that an attacker may acquire the key.

Anti-pattern

This settings.py contains a SECRET_KEY. You should not do this!

""" settings.py """
SECRET_KEY = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

Better Practices

Load key from environment variable

Instead of publishing your secret key, you can use an environment variable to set your secret key.

import os
SECRET_KEY = os.environ['SECRET_KEY']

Load secret key from file

Alternatively, you can read the secret key from a file.

with open('/etc/secret_key.txt') as f:
    SECRET_KEY = f.read().strip()

References