Change secret storage recommandation #59
Description
I would recommend putting the secret key inside an .env file that would store all secrets (including admin and database password) and from settings.pygetting the secret key like this. Then we can gitignore the .envfile.
settings.py
import os
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ.get(
"DJANGO_SECRET_KEY"
).env
DATABASE_NAME=**********
DATABASE_USER=**********
DATABASE_PASSWORD=**********
...
DJANGO_SECRET_KEY={SECRET_KEY}
...I think this method helps preventing mistakes while facilitating collaboration as there are many things we can change inside settings.pythat we would want other developpers to pull.
The current recommendation:
So recommended: Keep it safe. Ignore
settings.py file in your commits. Change the secret
key on your deploy. If you lost the secret key for any reason or
the server got compromised change it as soon as possible.