Django: Secret key published #52
Comments
|
Why not? That is mentioned as a solution in Django Two Scoops as well as the json file-like solution. Also it's very populat among developers (including myself) who use docker for deployments. |
|
@Glueon: Anytime you have to store a password, it is insecure. Environment variables are of course better that storing your secret key openly in your repo (hence: better practice). However, it is considered best practice, to encrypt secret data. There are several tools out there the help you read secret data from encrypted files. If you use ansible, have a look at https://docs.ansible.com/playbooks_vault.html. Also simplecrypt is an option: https://pypi.python.org/pypi/simple-crypt |
|
The main goal of using playbooks_vaults is to be able to store sensitive data in a SVC. But I do not see such a need for Django as soon as you have a proper seperation of settings files, where have a dev and prod settings modules which inherit from a base one. Base is in a SVC others - no. Also you'll have to supply that password using for example ENV variable. But why not just pass a secret key using the an ENV? An example could help. |
Using environment variables is not a best practice. Probably reword the section to "Alternatives" an point out the downside of usinging environment variables.
The text was updated successfully, but these errors were encountered: