Don't store secrets in settings.py. Typically you'd inject those from secrets management as environment variables.
replies(1):
Using a library like keyring [1] is a significant step up from a .env file sitting in your dev environment.
In other words:
- Store secrets in settings.py (bad)
- Store secrets in .env file (better)
- Store secrets in OS-level key vault (even better)
When the secrets are in a plaintext .env file, that file can get leaked in many non-obvious ways. Your antivirus uploads a copy, your IT department runs backups, someone on the team clones your git repo to a OneDrive/Dropbox folder and puts the .env file there. Then any of those services that has a leak, or any of the services those services use has a leak (improperly configured S3 bucket, etc), your secrets are leaked.