←back to thread

149 points rbanffy | 2 comments | | HN request time: 0.4s | source
1. 8organicbits ◴[] No.42152747[source]
Don't store secrets in settings.py. Typically you'd inject those from secrets management as environment variables.
replies(1): >>42156663 #
2. halfcat ◴[] No.42156663[source]
And also, when possible, try to use a key manager over environment variables.

Using a library like keyring [1] is a significant step up from a .env file sitting in your dev environment.

In other words:

- Store secrets in settings.py (bad)

- Store secrets in .env file (better)

- Store secrets in OS-level key vault (even better)

When the secrets are in a plaintext .env file, that file can get leaked in many non-obvious ways. Your antivirus uploads a copy, your IT department runs backups, someone on the team clones your git repo to a OneDrive/Dropbox folder and puts the .env file there. Then any of those services that has a leak, or any of the services those services use has a leak (improperly configured S3 bucket, etc), your secrets are leaked.

[1] https://github.com/jaraco/keyring