Django way
Django Secret Keys Protection

Django Secret Keys Protection

Azeez Aremu's photo
Azeez Aremu
·

3 min read

Congratulations on your just completed website where you use Django for the backend but hope your website is not exposed to hackers. You just asked how right? Yes, you are much more vulnerable to being hacked if your secret key is exposed and not protected.

But what is the secret key? you asked, the Secret key is that long set of string characters generated automatically by Django when you created your project and it can be found in the settings.py file as shown below

Screenshot (78).png

The secret key is useful when

  • Django wants to generate password reset tokens to be sent to a registered user for a password reset. The link is checked when the user clicks on it to reset his/her password and if the attached secret key does not match the project secret key the reset will be denied

  • Data needs to be passed through a medium not trusted and thus there is a need to detect any changes in the sent data. This is known as cryptographic signing

  • There is a need to use another session backend apart from the Django default session backend (django.contrib.sessions.backends.cache).

  • You need to store some values in the cookies and render them to users when requested and you don't want such values to be tampered with by hackers.

How to Hide Secret Keys

when deploying your website to any server, there is the likelihood you use GitHub for holding your codes and thus you are not expected to push your secret key to Github as it might be compromised there.

Secret keys can be set as environment variables and thus be fetched when needed as shown below

  • In development go to the terminal and set it as an environment variable

Screenshot (1).png

# for windows it should be 
set secret_key="django-insecureu5owu7&1q__n0m_58!er=z7&l6n(0!gcu28o_#_3o7b7#err*2"

# for bash terminal
export secret_key="django-insecureu5owu7&1q__n0m_58!er=z7&l6n(0!gcu28o_#_3o7b7#err*2"

Then go to the settings.py file and set the secret key as shown below

import os
SECRET_KEY = os.environ.get("secret_key")

Ensure you run the server in the same terminal where the variable is being declared and if the server is up with no error then it means everything is working well. Also don't forget that if you close the terminal where you declared the secret key, it is lost and so you should save it in a file in the project directory and ensure such file is part of the file not pushed to git by adding it to the git ignore file.

  • In production, the key is set as an environment variable on the server you are using. Let's take Heroku as an example.

On Heroku, follow the steps below

  • Go to your app and select the settings tab

  • Go to the config var section and click on the reveal config var button and you should have the below

Screenshot (2).png

  • Add your secret key as shown below

Screenshot (3).png

  • Lastly, your secret key definition in the settings.py file should remain as we did in development. That is
import os
SECRET_KEY = os.environ.get("secret_key")

Ok, you can now go ahead and let people know about the cool wonderful website you have created. Thank you for reading.

2Articles1WeekDjangoWeb DevelopmentPython