DEV Community

Cover image for Django Cheat Sheet: Keep Credentials Secure with Environment Variables

Django Cheat Sheet: Keep Credentials Secure with Environment Variables

James Timmins on September 17, 2019

Tl;DR Hard coding config values and credentials is convenient but makes your code less secure and less portable. Use environment variables to make ...
Collapse
 
nicolaerario profile image
Nicola Erario

How do you manage Boolean with python-dotenv? I mean that ( for example)DEBUG = True or DEBUG = False in .env file are always evaluated as True

Collapse
 
jamestimmins profile image
James Timmins

Yeah, that's an unfortunate drawback of dotenv. There's a couple of things you can do.

  1. Explicitly check for a string value. DEBUG = (os.getenv("DEBUG") == 'true')
  2. Cast the val to a boolean DEBUG = bool(os.getenv("DEBUG")), and use an empty string to denote a false value DEBUG=''.
  3. Use a more fully-featured package like django-environ. There's slightly more configuration required, but if your project has multiple boolean settings it might be worth it. (I haven't actually used django-environ, but it looks pretty interesting so I may investigate).
Collapse
 
bhupesh profile image
Bhupesh Varshney 👾

thanks for this

Collapse
 
guettli profile image
Thomas Güttler

Don't ask my why the author did not accept my PR: github.com/theskumar/python-dotenv...

Converting types

The library reads and provides strings. If you need for example a boolean, it is up to you to convert the value.

Example:

from distutils.util import strtobool
DEBUG = bool(strtobool(os.getenv('DEBUG', 'True')))
Enter fullscreen mode Exit fullscreen mode
Collapse
 
niceguydave profile image
David Talbot

This is really helpful, thanks. Agreed—it seems strange that your PR was rejected, given that variables with False values get (confusingly) cast to True.

Collapse
 
eftehassanpp profile image
eftehassanpp • Edited

Its simple. env always stores string in not only just python but also in javascript. simply parse the env value with json
import json
DEBUG = json.loads(os.getenv("DEBUG"))
if DEBUG:
print("Debugging")

Collapse
 
anshsaini profile image
Ansh Saini

Okay I'm surprised I didn't know that! Thanks. This'll save me some future headaches.

Collapse
 
nicolaerario profile image
Nicola Erario

Sure! After time spent to True this, False that... and your app lives of it’s own life

Collapse
 
olidroide profile image
olidroide

Thanks James! I'm starting using this :) I'm moving from PyCharm to VSCode, and I notice use .env files in VSCode is more easy using "envFile" parameter in launch.json without any plugin and pip pacakge extra.

Collapse
 
pandichef profile image
pandichef

I used to do this. Now I just have a mysecrets.py file (which is not in the repo obviously) and just type "from mysecrets import *" at the top of settings.py. The problem I had with .env is with debug mode. Say someone on your team accidentally deploys in prod with DEBUG=True. If an end-user hits a python exception for some reason, the environment variables all appear on the Django debug screen. In contrast, regular python variables in settings.py are obfuscated by Django. Have you noticed this? Does it concern you?

Collapse
 
ajibsbaba profile image
Samuel Ajibade

This produces errors when you push your app to heroku for hosting

Collapse
 
ce0la profile image
Olaniyi Oshunbote

Were you able to fix this?

Collapse
 
darrentmorgan profile image
darrentmorgan

Awesome, thanks!