Django settings.py
contains the most sensitive information of your project. Hard coding key details such as SECRET_KEY
,ALLOWED_HOSTS
, database settings such database password
, database host
, database port
, database username
in your codebase is a security risk. In this article, we will discuss how to secure your Django SECRET_KEY
by using environment variables and the python dotenv
library. While I will focus on the SECRET_KEY
, the same principles can be applied to other sensitive information in your Django project.
Why is the Django SECRET_KEY
important?
Django uses the SECRET_KEY
to provide cryptographic signing, protection against CSRF attacks, and other security features. If an attacker gains access to your SECRET_KEY
, they can potentially compromise the security of your Django project. It is crucial to keep the SECRET_KEY
confidential and secure.
Installing the python-dotenv
library
The python-dotenv
library allows you to load environment variables from a .env
file into your Django project. To install the python-dotenv
library, you can use pip
:
pip install python-dotenv
If you do have a requirements.txt
file, you can add the python-dotenv
library to it.
Creating a .env
file
Create a .env
file in the root directory(the same directory as manage.py) of your Django project. Add the SECRET_KEY
to the .env
file in the following format:
SECRET_KEY="your_secret_key_here"
Adding the .env
file to .gitignore
The .env
file contains sensitive information, and you should not commit it to your version control system. To prevent the .env
file from being accidentally committed, add it to your .gitignore
file. Here is an example of how you can add the .env
file to your .gitignore
file:
# .gitignore
.env
Loading the SECRET_KEY
from the .env
file
In your settings.py
file, you will need to import the os
and dotenv
modules and load the SECRET_KEY
from the .env
file. Here is an example of how you can do this:
import os
from dotenv import load_dotenv
load_dotenv()
load_dotenv()
will load the environment variables from the .env
file into your Django project. After reading from the .env file, load_dotenv()
will update the os.environ
dictionary with the key-value pairs from the .env file.
- It is important to call
load_dotenv()
before accessing theSECRET_KEY
in yoursettings.py
file.
Accessing the SECRET_KEY
in your settings.py
file
Now that you have loaded the SECRET_KEY
from the .env
file, you can access it in your settings.py
file using the os
module:
SECRET_KEY = os.getenv('SECRET_KEY')
By using os.getenv('SECRET_KEY')
, you can access the SECRET_KEY
value stored in the .env
file. This ensures that the SECRET_KEY
is not hard-coded in your codebase and is kept secure.
Please note the above steps can be applied to other sensitive information in your Django project.
Happy coding! 🚀🐍