Sven
Sven

Reputation: 1172

"Django-insecure" in secret key in settings.py in django

After creating a new project with django-admin startproject my settings.py contain:

SECRET_KEY = 'django-insecure <actual secret key>'

I've never seen "django-insecure' before in a secret key. What does it mean?

Upvotes: 13

Views: 11947

Answers (3)

Stephen C
Stephen C

Reputation: 719739

Why is the key insecure, when auto-created? Seems to be much safer than a key thought of by a human.

It is generated using a well known process from a source of entropy whose quality and security cannot be guaranteed (by Django). This is the ostensible reason for this; see https://docs.djangoproject.com/en/3.2/ref/checks/#security

security.W009: Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it’s prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random SECRET_KEY, otherwise many of Django’s security-critical features will be vulnerable to attack.

More importantly, any secret key that is embedded in a settings file is only as secure as your file system's access control mechanisms. Django settings files are an obvious place to look for the secret key.

It is more secure to hold your keys in a cryptographically secured keystore or an HSM, and then pass Django its secret key via an environment variable; see Where to store secret keys DJANGO.

And, no matter how you manage them, you should generate your secret keys yourself using hardware that you control and a mechanism + entropy source that you can 100% trust. (If you are lost for options, consider rolling some dice as a source of random digits.)

Upvotes: 6

Mojtaba Arezoomand
Mojtaba Arezoomand

Reputation: 2435

in django 3.2 it's better to create your own secret key for production(make sure it's safe enough) and move it to your environment variables and it's also better to use this insecure secret key for development purposes only. A safe SECRET_KEY is like this:

  • The secret key must be a large random value and it must be kept secret.
  • Make sure that the key used in production isn’t used anywhere else and avoid committing it to source control. This reduces the number of vectors from which an attacker may acquire the key.
  • Instead of hardcoding the secret key in your settings module, consider loading it from an environment variable:

Here is an example:

 import os
 SECRET_KEY = os.getenv("SECRET_KEY", "django-insecure <actual secret key>")

Upvotes: 1

peter-sari
peter-sari

Reputation: 57

This is a visible warning that any key that is hardcoded is insecure from the very first moment. The idea is to use a different keys in development and production.

You can easily generate a new key using an online generator like this one

On your server add your SECRET_KEY to the environment variables and these lines to your settings.py

import os
SECRET_KEY = os.environ['SECRET_KEY']

I personally don't prefer saving keys in files but that is possible as well.

Please note that

Upvotes: 0

Related Questions