Will making a Django website public on github let others get the data in its database ? If so how to prevent it?

Question

I have a locally made Django website and I hosted it on Heroku, at the same time I push changes to anathor github repo. I am using built in Database to store data. Will other users be able to get the data that has been entered in the database from my repo (like user details) ?

If so how to prevent it from happening ? Solutions like adding files to .gitignore will also prevent pushing to Heroku.

Answer 1

No one can steal your data if you don't push sensitive information in git repo. Never push your credentials to public repository.
Use one of the below method.
- Create a separate file for credentials and add it to .gitignore file and copy it manually to the server.
- Save credentials in .env file and use python package to read information from there.

For more detail read these threads:
- https://www.reddit.com/r/learnpython/comments/264ffw/what_is_the_pythonic_way_of_storing_credentials/
- Python/Django - Avoid saving passwords in source code

Answer 2

The code itself wouldn't be enough to get access to the database. For that you need the db name and password, which shouldn't be in your git repo at all.

On Heroku you use environment variables - which are set automatically by the postgres add-on - along with the dj_database_url library which turns that into the relevant values in the Django DATABASES setting.