SECRET_KEY published¶
A secret key has to be be kept secret. Make sure it is only used in production, but nowhere else. Especially, avoid committing it to source control. This increases security and makes it less likely that an attacker may acquire the key.
Anti-pattern¶
This settings.py contains a SECRET_KEY. You should not do this!
""" settings.py """
SECRET_KEY = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
Better Practices¶
Load key from environment variable¶
Instead of publishing your secret key, you can use an environment variable to set your secret key.
import os
SECRET_KEY = os.environ['SECRET_KEY']
Load secret key from file¶
Alternatively, you can read the secret key from a file.
with open('/etc/secret_key.txt') as f:
SECRET_KEY = f.read().strip()