Reputation: 1172
After creating a new project with django-admin startproject
my settings.py
contain:
SECRET_KEY = 'django-insecure <actual secret key>'
I've never seen "django-insecure' before in a secret key. What does it mean?
Upvotes: 13
Views: 11947
Reputation: 719739
Why is the key insecure, when auto-created? Seems to be much safer than a key thought of by a human.
It is generated using a well known process from a source of entropy whose quality and security cannot be guaranteed (by Django). This is the ostensible reason for this; see https://docs.djangoproject.com/en/3.2/ref/checks/#security
security.W009
: YourSECRET_KEY
has less than 50 characters, less than 5 unique characters, or it’s prefixed with'django-insecure-'
indicating that it was generated automatically by Django. Please generate a long and randomSECRET_KEY
, otherwise many of Django’s security-critical features will be vulnerable to attack.
More importantly, any secret key that is embedded in a settings file is only as secure as your file system's access control mechanisms. Django settings files are an obvious place to look for the secret key.
It is more secure to hold your keys in a cryptographically secured keystore or an HSM, and then pass Django its secret key via an environment variable; see Where to store secret keys DJANGO.
And, no matter how you manage them, you should generate your secret keys yourself using hardware that you control and a mechanism + entropy source that you can 100% trust. (If you are lost for options, consider rolling some dice as a source of random digits.)
Upvotes: 6
Reputation: 2435
in django 3.2 it's better to create your own secret key for production(make sure it's safe enough) and move it to your environment variables and it's also better to use this insecure secret key for development purposes only. A safe SECRET_KEY is like this:
Here is an example:
import os
SECRET_KEY = os.getenv("SECRET_KEY", "django-insecure <actual secret key>")
Upvotes: 1
Reputation: 57
This is a visible warning that any key that is hardcoded is insecure from the very first moment. The idea is to use a different keys in development and production.
You can easily generate a new key using an online generator like this one
On your server add your SECRET_KEY to the environment variables and these lines to your settings.py
import os
SECRET_KEY = os.environ['SECRET_KEY']
I personally don't prefer saving keys in files but that is possible as well.
Please note that
Upvotes: 0