If you've stumbled upon my article, I assume you are working on a Django project and are wondering how to secure your project information, more importantly, security keys. If so, you've come to the right place as I am about to teach you the best method of doing it.
More often than not, I see many of my software engineer friends miss a couple of key points when developing Django projects, and that is, not hiding theirĀ SECRET_KEYĀ and otherĀ OAuthĀ keys. This is a crucial part of the security of Django as any information exposed can revoke a project.
Let's begin. Suppose we have just started a brand new Django project. Just in case, here is the format:
django-admin startproject projectNow that we have created a new project, let's navigate into the root directory, that beingĀ project/, and into theĀ settings.pyĀ file.
On the 23rd line of the code, you will find a variable titledĀ SECRET_KEY.
import os
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname...
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'ek0@9u(zemu^+%*-z3!&y9mu_7u+edg9%)c%423mdoec-mi*'Here we see that, for the purpose of this blog post, my Django security key is exposed.
Now, I will introduce to you a method that will ensure you never expose your project's private keys ever again, dotenv.
In your project terminal, type
pip3 install python-dotenvThis will install a dotenv requirement that will be used to retrieve your secret keys from a file only you have access to.
Next, in yourĀ settings.pyĀ file, C & V (copy and paste) the following two lines:
from dotenv import load_dotenv
load_dotenv()Afterward, in the root of your project, create a file titledĀ .envĀ which will serve as your environment variable secret storage for your project.
In theĀ .env, you will declare your variables with anĀ =Ā sign and paste their information as such:
# .env
SECRET_KEY=ek0@9u(zemu^+%*-z3!&y9mu_7u+edg9%)c%423mdoec-mi*Next, in yourĀ settings.py, you will retrieve the key as follows:
# settings.py
SECRET_KEY = str(os.getenv('SECRET_KEY'))What this line does is make the os (operating system) get theĀ .envĀ file and bring in the data for the following key:Ā SECRET_KEY.
To ensure no one receives access to theĀ .envĀ file, it is a general protocol to put yourĀ .envĀ file in theĀ .gitignoreĀ to make sure it won't be committed to GitHub.
If you were using any other keys, such as OAuth keys, the method would work the same. For example, here I will implement an OAuth key to use the Twitter OAuth method.
# settings.py
TWITTER_OAUTH_KEY = str(os.getenv('TWITTER_OAUTH_KEY'))and retrieve the key from my environment file,
# .env
TWITTER_OAUTH_KEY=[twitter-oauth-key-here]If you would like to follow my software engineering path, feel free to follow me onĀ GitHub.