Tl;DR
Hard coding config values and credentials is convenient but makes your code less secure and less portable. Use environment variables to make your code more secure and easy to deploy in different environments.
Bad:
TWILIO_SECRET_KEY = "iamverysneaky"
twilio_client = Twilio(key=TWILIO_SECRET_KEY)
The problem:
If someone gets access to your code, now they have access to your Twilio account too! Two problems for the price of one!
Good:
from dotenv import load_dotenv
load_dotenv()
twilio_client = Twilio(key=os.getenv("TWILIO_SECRET_KEY"))
If someone gets access to your code, at least your Twilio account (and user data!) is still safe.
To illustrate how this works, we'll move the auto-generated SECRET_KEY
value out of settings.py
and into an environment variable.
From this:
SECRET_KEY="thisismyunsecuredsecretkey"
To this:
SECRET_KEY=os.getenv("DJANGO_SECRET_KEY")
Do these things:
-
Download the dotenv package.
$ pip install python-dotenv
-
Create a file named
.env
in the same directory assettings.py
.
$ touch .env
-
Add the
.env
file to your.gitignore
. This is the most important step bc it keeps.env
, and thus your secret values, outside of version control/Git.
$ echo .env >> .gitignore
-
Add your config values and credentials to .env.
$ echo 'DJANGO_SECRET_KEY="thisismyunsecuredsecretkey"' >> .env
-
Import and load
os
anddotenv
intosettings.py
. This makes the values accessible.
import os from dotenv import load_dotenv ... load_dotenv()
-
Replace the original
SECRET_KEY
value with an environment variable lookup.
SECRET_KEY=os.getenv("DJANGO_SECRET_KEY")
Profit! By not getting sued by your users for letting their data get stolen. GDPR goodness!
Top comments (13)
How do you manage Boolean with python-dotenv? I mean that ( for example)DEBUG = True or DEBUG = False in .env file are always evaluated as True
Yeah, that's an unfortunate drawback of dotenv. There's a couple of things you can do.
DEBUG=''
.thanks for this
Don't ask my why the author did not accept my PR: github.com/theskumar/python-dotenv...
Converting types
The library reads and provides strings. If you need for example a boolean, it is up to you to convert the value.
Example:
This is really helpful, thanks. Agreedโit seems strange that your PR was rejected, given that variables with False values get (confusingly) cast to True.
Its simple. env always stores string in not only just python but also in javascript. simply parse the env value with json
import json
DEBUG = json.loads(os.getenv("DEBUG"))
if DEBUG:
print("Debugging")
Okay I'm surprised I didn't know that! Thanks. This'll save me some future headaches.
Sure! After time spent to True this, False that... and your app lives of itโs own life
Thanks James! I'm starting using this :) I'm moving from PyCharm to VSCode, and I notice use
.env
files in VSCode is more easy using"envFile"
parameter inlaunch.json
without any plugin and pip pacakge extra.I used to do this. Now I just have a mysecrets.py file (which is not in the repo obviously) and just type "from mysecrets import *" at the top of settings.py. The problem I had with .env is with debug mode. Say someone on your team accidentally deploys in prod with DEBUG=True. If an end-user hits a python exception for some reason, the environment variables all appear on the Django debug screen. In contrast, regular python variables in settings.py are obfuscated by Django. Have you noticed this? Does it concern you?
This produces errors when you push your app to heroku for hosting
Were you able to fix this?
Awesome, thanks!