DEV Community

Discussion on: Django Cheat Sheet: Keep Credentials Secure with Environment Variables

Collapse
pandichef profile image
pandichef

I used to do this. Now I just have a mysecrets.py file (which is not in the repo obviously) and just type "from mysecrets import *" at the top of settings.py. The problem I had with .env is with debug mode. Say someone on your team accidentally deploys in prod with DEBUG=True. If an end-user hits a python exception for some reason, the environment variables all appear on the Django debug screen. In contrast, regular python variables in settings.py are obfuscated by Django. Have you noticed this? Does it concern you?