Azeez Aremu
Django way

Django way

Django Secret Keys Protection

Django Secret Keys Protection

Azeez Aremu's photo
Azeez Aremu

Published on Apr 20, 2021

3 min read

Subscribe to my newsletter and never miss my upcoming articles

Congratulations on your just completed website where you use Django for the backend but hope your website is not exposed to hackers? You just asked how right? Yes, you are much vulnerable to be hacked if your secrete key is exposed and not protected.

But what is the secret key you asked, Secret key is that long set of string character generated automatically by Django when you created your project and it can be found in the file as shown below

Screenshot (78).png

The secret key is useful when

  • Django wants to generate password reset tokens to be sent to a registered user for a password reset. The link is checked when the user clicked on it to reset his/her password and if the attached secret key does not match the project secret key the reset will be denied

  • Data is needed to be passed through a medium not trusted and thus there is a need to detect any changes in the sent data. This is known as cryptographic signing

  • There is a need to use another session backend apart from the Django default session backend (django.contrib.sessions.backends.cache).

  • You need to store some values in the cookies and render them to users when requested and you don't want such values to be tampered with by hackers.

How to Hide Secret keys

when deploying your website to any server, there is the likelihood you use Github for holding your codes and thus you are not expected to push your secret key to Github as it might be compromised there.

Secret keys can be set as environment variables and thus be fetched when needed as shown below

  • In development go to the terminal and set it as an environment variable

Screenshot (1).png

# for windows it should be 
set secret_key="django-insecureu5owu7&1q__n0m_58!er=z7&l6n(0!gcu28o_#_3o7b7#err*2"

# for bash terminal
export secret_key="django-insecureu5owu7&1q__n0m_58!er=z7&l6n(0!gcu28o_#_3o7b7#err*2"

Then go to file and set secret key as shown below

import os
SECRET_KEY = os.environ.get("secret_key")

Ensure you run the server in the same terminal where the variable is being declared and if the server is up with no error then it means everything is working well. Also don't forget that if you close the terminal where you declared the secret key, it is lost and so you should save it in a file in the project directory and ensure such file is part of the file not push to git by adding it to the gitignore file.

  • In production, the key is set as an environment variable on the server you are using. Let's take Heroku as an example.

On Heroku, follow the steps below

  • Go to your app and select the settings tab

  • Go to config var section and click on the reveal config var button and you should have the below

Screenshot (2).png

  • Add your secret key as shown below

Screenshot (3).png

  • Lastly, your secret key definition in the file should remain as we did in development. That is
import os
SECRET_KEY = os.environ.get("secret_key")

Ok, you can now go ahead and let people know about the cool wonderful website you have created. Thank you for reading.

Share this