Reputation: 1172
"Django-insecure" in secret key in settings.py in django
After creating a new project with django-admin startproject my settings.py contain:
SECRET_KEY = 'django-insecure <actual secret key>'
I've never seen "django-insecure' before in a secret key. What does it mean?
Upvotes: 13
Views: 11947
Answers (3)
Reputation: 719739
Why is the key insecure, when auto-created? Seems to be much safer than a key thought of by a human.
It is generated using a well known process from a source of entropy whose quality and security cannot be guaranteed (by Django). This is the ostensible reason for this; see https://docs.djangoproject.com/en/3.2/ref/checks/#security
security.W009: YourSECRET_KEYhas less than 50 characters, less than 5 unique characters, or it’s prefixed with'django-insecure-'indicating that it was generated automatically by Django. Please generate a long and randomSECRET_KEY, otherwise many of Django’s security-critical features will be vulnerable to attack.
More importantly, any secret key that is embedded in a settings file is only as secure as your file system's access control mechanisms. Django settings files are an obvious place to look for the secret key.
It is more secure to hold your keys in a cryptographically secured keystore or an HSM, and then pass Django its secret key via an environment variable; see Where to store secret keys DJANGO.
And, no matter how you manage them, you should generate your secret keys yourself using hardware that you control and a mechanism + entropy source that you can 100% trust. (If you are lost for options, consider rolling some dice as a source of random digits.)
Upvotes: 6
Reputation: 2435
in django 3.2 it's better to create your own secret key for production(make sure it's safe enough) and move it to your environment variables and it's also better to use this insecure secret key for development purposes only. A safe SECRET_KEY is like this:
- The secret key must be a large random value and it must be kept secret.
- Make sure that the key used in production isn’t used anywhere else and avoid committing it to source control. This reduces the number of vectors from which an attacker may acquire the key.
- Instead of hardcoding the secret key in your settings module, consider loading it from an environment variable:
Here is an example:
import os
SECRET_KEY = os.getenv("SECRET_KEY", "django-insecure <actual secret key>")
Upvotes: 1
Reputation: 57
This is a visible warning that any key that is hardcoded is insecure from the very first moment. The idea is to use a different keys in development and production.
You can easily generate a new key using an online generator like this one
On your server add your SECRET_KEY to the environment variables and these lines to your settings.py
import os
SECRET_KEY = os.environ['SECRET_KEY']
I personally don't prefer saving keys in files but that is possible as well.
Please note that
Upvotes: 0
Related Questions
- Django: ImproperlyConfigured: The SECRET_KEY setting must not be empty
- Error message: django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty
- Django exception: Improperly configured SECRET_KEY
- getting error : django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty in django
- Django SECRET KEY error
- django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty
- Django: The SECRET_KEY setting must not be empty even if it exists in settings
- Django settings SECRET_KEY
- The SECRET_KEY setting must not be empty || Available at Settings.py
- Python django : django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty