How To Hide Django Secret Key

Accidentally pushed your secret key to a public GitHub repository?

When working on a Django project, it’s essential to keep sensitive information like your Secret Key safe and hidden from public view, especially when sharing your code on GitHub.

Gratefully, GitGuardian immediately detects and notifies you of the security risks involved.

In this article, I’ll walk you through the process of securely hiding your Django Secret Key using python-decouple.

Why Secure Your Django Secret Key?

Your Django Secret Key is a crucial component of your project’s security. Exposing it publicly can lead to potential security risks and data breaches. Therefore, it’s important to follow best practices and keep your Secret Key hidden from prying eyes.

Create Virtual Environment

I assume you usually create a virtual environment while building your project. Creating a virtual environment helps isolate your project’s dependencies, making it easier to manage and more secure. You can create one using virtualenv

pip install virtualenv
virtualenv venv
venv\scripts\activate

The command pip install virtualenv installs the necessary tool. virtualenv venv generates a virtual environment named venv. Finally, venv/scripts/activateactivates the virtual environment, enabling isolated Python development within it.

How to use python-decouple to hide secret key:

Step 1: Install Python Decouple

Start by installing Python Decouple using pip:

pip install python-decouple

Step 2: Create the .env File

In your Django project directory, create a file named .env. This file will serve as the storage for your sensitive settings.

Step 3: Configure .env

Within the .env file, add your Secret Key like this (replace ‘….secret key ….’ with your actual Secret Key):

SECRET_KEY='qolwvjicds5p53gvod1pyrz*%2uykjw&a^&c4moab!w=&16ou7'

Feel free to include other sensitive settings in this file if needed.

Step 4: Update Django Settings

In your Django project’s settings.py file, you’ll need to make some changes to read the Secret Key from the .env file. Import Python Decouple and configure it as follows:

import os
from decouple import config
SECRET_KEY = config('SECRET_KEY')

Step 5: Exclude .env from Version Control using .gitignore file

Now that you’ve moved your Secret Key to the .env file, you must ensure that this file is not included in your Git repository. To do this, create or edit your .gitignore file and add the following line:

.env

This tells Git to ignore the .env file and not include it in version control.

Step 6: Commit and Push

With these changes in place, you can now commit your code and push it to your GitHub repository. The .env file, containing your sensitive Secret Key, will remain private and hidden from the public eye.

Wrapping Up

Securing your Django Secret Key on GitHub is a crucial step in ensuring the security of your application. By using Python Decouple and .gitignore, you can easily hide sensitive data from public view while collaborating with other developers on your project. Always adhere to best practices in web development and security to protect your application and its users.

Now you can confidently share your Django project on GitHub without worrying about exposing your Secret Key to potential security risks.

Happy coding!