How to hide sensitive information in Django?

Asked

Viewed 354 times

1

In my Django project I have some sensitive variables, which I need to 'hide'. In general, save them in a file . env and read them with DADO_SENSIVEL = os.environ.get("DADO_SENSIVEL", default="")..

I’d like to understand the difference between me saving these variables in the .env, in the .bashrc and in the .bash_profile

Does the answer depend on using Docker? If so, what would be the difference using and not using Docker?

3 answers

2


I don’t fully understand the question, for example: I can’t see Django’s relationship with Docker in this context, but I will try to answer. If I understand, what you want is to hide sensitive information in a Jango project. Considering that this is what I will explain my approach (I use linux):

First I create a file of the type .yaml which can be "parsed" by the package Pyyaml, in this archive I place the sensitive information to be read on setttings.py from Django, below an example:

db:
    default:
        ENGINE: 'django.db.backends.postgresql_psycopg2'
        NAME: 'nome-banco'
        USER: 'user-name'
        PASSWORD: 'change-me'
        HOST: 'localhost'
        PORT: '5432'
        OPTIONS: {}

email:
    email_host: 'smtp.<config>.com'
    email_port:  587
    email_host_user: 'no_reply@<email.com>'
    email_host_password: '<your_password>'
    use_tls: True

key: sdn2-%Hey-Jude_take-a-sad-song_and_make-it-better 

Note that in this file are placed the information about the database, sending email and the key for creating tokens.

Then choose a place to put this file, for example in /etc/name-app/config.yaml

Create an environment variable that points to where that file will be stored (on the server, I do this on gunicorn), in the development environment, in my case this can be done with the export command:

export VARNAME='/path/to/file' 

This command can be placed in your ~/. bashrc file, which you cite.

So in the file settings.py from Django, first try to see if the variable exists in the system, if yes, I load the file from the path it points and assign the values to the variables, thus:

CONFIG = os.environ.get('VARNAME')
try:
    with open(CONFIG, 'r') as f:
        settings = yaml.safe_load(f)
except IOError as e:
    print("I/O error({0}): {1}".format(e.errno, e.strerror))
    raise
except:
    print("Erro inesperado", sys.exc_info())
    print("Erro inesperado", sys.exc_info()[0])
    raise

# To send email
EMAIL_HOST = settings['email_host']
EMAIL_PORT = settings['email_port']
EMAIL_HOST_USER = settings['email_host_user']
EMAIL_FROM = settings['email_host_user']
EMAIL_HOST_PASSWORD = settings['email_host_password']
EMAIL_USE_TLS = settings['use_tls']

SECRET_KEY = settings['key']
DATABASES = settings['db']

Essentially, that is, no matter if your server or development environment is on the physical machine, on a virtual machine or in a Docker container.

If it’s not clear, say I’m trying to improve the answer.

1

You can use python-decouple, with it it is possible to insert the data in Settings.py.. pulling data from an external file . env or . ini in which you declare constant strings as in the example below:

#nome_do_projeto/setting.py
from decouple import config
DEBUG = config('DEBUG', default=False, cast=bool)#a opção cast declara o tipo.
SECRET_KEY = config('SECRET_KEY')

instead of:

DEBUG=TRUE
SECRET_KEY = "sejalqualforakey"

and within the file . env:

#raiz_do_projeto/.env:
DEBUG=TRUE
SECRET_KEY=sejalqualforakey

and if you need to insert a list for example in ALLOWED_HOSTS:

ALLOWED_HOSTS = config('ALLOWED_HOSTS', default=[], cast=Csv())

here the cast contains a Csv method that needs to be imported into:

from decouple import config, Csv

and in . env:

ALLOWED_HOSTS=127.0.0.1, .localhost

1

Browser other questions tagged

You are not signed in. Login or sign up in order to post.