it is secure to have a plain text password for my PostgreSQL connection in Django?

Question

I am not sure if it is not secure to have a plain text password for my PostgreSQL database connection.

i.e

In my "settings.py" file:

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': 'my_database', # database name
        'USER': 'username',    # P.user
        'PASSWORD': 'plaintext password goes here',
        'HOST': 'localhost',  # where is locate our database?
        'PORT': '',
    }
}

If it is not secure please give more information about how to handle this situation.

Note: I am using https for my webpage but I'm just wanna know if I have to secure this also even if the connection is locally.

neverwalkaloner · Accepted Answer

No it's not secure to keep password as a plain text in your source code. You may make your project open source and forgot to remove password from repository, or you can copy code to the SO question:) and don't remove password. So it's better to keep password and other secrets for example SECRET_KEY as environment variable. During development you can use python-dotenv library for this. So your settings.py file will looks like this:

from dotenv import load_dotenv
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': 'my_database', # database name
        'USER': 'username',    # P.user
        'PASSWORD': os.environ.get('PASSWORD'),
        'HOST': 'localhost',  # where is locate our database?
        'PORT': '',
    }
}

it is secure to have a plain text password for my PostgreSQL connection in Django?

Answers (2)

set

get

Related Questions