Often when working on a django project, we have some secret keys, OAuth keys and other critical information that needs to be kept safe and private. By no means should you expose such kind of keys because it makes your system vulnerable to security attacks.
Today, we are going to see how we can use python-dotenv to keep such kind of information hidden. As we can read from the docs, basically what python-dotenv does is read key-value pairs from a .env file and set them as environment variables to be retrieved later.
First and foremost let's install this module.
pip install python-dotenv
Then create a .env file in the root directory of our project. This is where we will put key value pairs of all the environment variables required by our application.
Okay, what should we put in the .env file?
- The secret key that comes with every django project - This needs to be kept private because it's the crucial part of security in django.
- Social auth configs for Github
- Social auth configs for Google or any other OAuth keys.
.env
SECRET_KEY = 'YOUR SECRET KEY'
GITHUB_KEY = 'YOUR GITHUB KEY'
GITHUB_SECRET = 'YOUR GITHUB SECRET KEY'
GOOGLE_KEY = 'YOUR GOOGLE KEY'
GOOGLE_SECRET = 'YOUR GOOGLE SECRET KEY'
- Pull these configs from .env and load them in the settings.
settings.py
from dotenv import load_dotenv
load_dotenv() # loads the configs from .env
Now instead of exposing our secret keys and OAuth keys in the settings, let's retrieve them through their key names as follows.
settings.py
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = str(os.getenv('SECRET_KEY'))
# social auth configs for github
SOCIAL_AUTH_GITHUB_KEY = str(os.getenv('GITHUB_KEY'))
SOCIAL_AUTH_GITHUB_SECRET = str(os.getenv('GITHUB_SECRET'))
# social auth configs for google
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = str(os.getenv('GOOGLE_KEY'))
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = str(os.getenv('GOOGLE_SECRET'))
That's it, with these simple steps we are able to make our app more secure.
Thanks for your time. You can find the finished app in github. See you next time with another part of the series.
Any comments and suggestions are welcome.
Top comments (7)
This really helped me out! It is worth stating that if you have an application deployed, you should specify the path of the dot env on the settings file like so:
I'm glad you found it helpful. Thanks for the note too :)
Thanks Hannah. Ideally, this should've been part of basic Django tutorials.
I notice you are a great Django fan. I was but recently studying JavaScript based web application platforms. I'm curious to see whether newer platforms are elegant. If you have done some experiments in non-Django platforms, please share
Hello, Thanks for the comment. Yes, it's a basic Django tutorial but I put it here since it's part of my ongoing series for the registration/login app.
I can't really say much about the newest platforms that are available since I don't have experience with them although I did some web development with PHP.
You are right, with all the different platforms available for web development it might be a bit overwhelming to choose one but I think it all comes down to which one is tailored to your specific need. The one that is elegant is the platform that suits your needs (In my opinion), so do some research and see which one you should use for a particular case and which one you should not.
Very helpful thanks
Am glad you found it helpful.
If you will get error
you should use
for the installation