Hi there, I joined this forum just to ask this question :-) about this fantastic tip in this post:
My question relates to adding the .env file into .gitignore. How can an app run without the SECRET coming along in production? I read somewhere that a new .env file needs to be created on the production site. In that case, what's the difference between uploading the .env along with the rest of the app and creating a new .env file? Is the concern mostly over the security during uploading?
Thanks for your comment and welcome to Dev! So from my understanding, you already have a .env file in your development server. If that .env file works for you in development, keep that since it will most likely work for production as well. Any time I develop anything for production, I try to keep the .env consistent and hidden in the .gitignore. There shouldn't be any difference between uploading the development .env for production, as long as Django knows where to find your .env.
The biggest security concern that will come up in regards to the environment secrets is accidentally committing them to Github. Let me know if that clears up your question.
Yes, this totally cleared up the fog on my end: Exposing the .env on GitHub is a security risk (as opposed to having .env on a server). Thank you for taking the time to explain! And yes, I followed the steps in this post and everything works beautifully. Since I read your post and became aware of the issue of protecting Django secret, I've read other posts on how to do it-but none is as clean and easy to follow. So thank you for bringing this issue to the attention of new Django learners.
Hi there, I joined this forum just to ask this question :-) about this fantastic tip in this post:
My question relates to adding the .env file into .gitignore. How can an app run without the SECRET coming along in production? I read somewhere that a new .env file needs to be created on the production site. In that case, what's the difference between uploading the .env along with the rest of the app and creating a new .env file? Is the concern mostly over the security during uploading?
Thanks for your comment and welcome to Dev! So from my understanding, you already have a .env file in your development server. If that .env file works for you in development, keep that since it will most likely work for production as well. Any time I develop anything for production, I try to keep the .env consistent and hidden in the .gitignore. There shouldn't be any difference between uploading the development .env for production, as long as Django knows where to find your .env.
The biggest security concern that will come up in regards to the environment secrets is accidentally committing them to Github. Let me know if that clears up your question.
Happy Coding!
Yes, this totally cleared up the fog on my end: Exposing the .env on GitHub is a security risk (as opposed to having .env on a server). Thank you for taking the time to explain! And yes, I followed the steps in this post and everything works beautifully. Since I read your post and became aware of the issue of protecting Django secret, I've read other posts on how to do it-but none is as clean and easy to follow. So thank you for bringing this issue to the attention of new Django learners.
It is absolutely my pleasure! So glad it helped :)