Why should I not store my django Secret Key in settings.py

Question

I'm not that expert in that server-side stuff, but I am wondering why I can't just leave the secret key in the setting.py file. I mean when somebody could see the settings.py I would have been already hacked, right? So couldn't I just leave the secret key where it is right now?

Answer 1

There are a few reasons, why it is good right from the very beggining to keep all of your secret keys in environment variables. But two come to mind:

You might not always be the only dev working on your site...

Suppose you start with a small site where you are the sole developer. You store all of your secret keys etc. in settings.py which is under version control.

The site is a success and you start hiring some other developers to work on your site with you. Eventually, there will be some things that you really don't want everyone to see, and just maybe you and another person.

Now, you could remove them from settings.py and move them to environment variables at this point. But anything that has ever been in your settings.py will be available through git history. This will be a major security hole.

It stops a bad security problem, becoming a really bad one...

Even if somehow someone is able to see your settings.py, that is pretty bad. But it is a thousand times more bad if they can see all your secret keys.

• If they can see your stripe secret key, they can now not only see your settings.py but also really really easily empty your bank account.

• If they can see your amazon s3 credentials, now now only can they see your settings.py they can also access all of the confidential documents your users have uploaded (and you can end up with major legal issues). It also means they can use it for free, and you end up landed with a massive bill.

• If they can see your general secret key, they can now intercept any of the messages that get sent to and from your server more easily. If you are using pickle to serialize session data, they could even run arbitrary code on your server, and wipe your database (see here for further details).

Imagine you're not very sensible and you re-use a password, you get a notification from 'company X' who let you know your credentials have been compromised. Now someone can get onto your github and see your code. Instead of having to just change your password on github, you have to go round every service you use on every site you have stored there, and update all of those secret keys (assuming the damage hasn't already been done).

Let's also imagine that you are sensible, and you use 1password and have 2 factor authentication set up, so this can't happen to you. All it requires is one person on your team to not be sensible to make this a possibility again, and quite a realistic probability.

You definitely want to store all secret keys as environment variables.

Having said all of the above, yes, if your system has been compromised by someone who knows what they're doing, it won't make any difference and you are probably in a really bad place regardless. But storing secrets in environment variables will stop some attacks, so you should always do it anyway.

Also...

This is useful for non-security reasons as well. You probably want different credentials for your development, staging, production environments, and storing things in environment variables makes this a lot easier. Sure, you could have different settings.py files, but storing things in environment variables means you can update them really quickly without having to do a release.