Python/Django - Avoid saving passwords in source code

Question

I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py f

Answer 1

Having something like this in your settings.py:

db_user = 'my_db_user' db_password = 'my_db_password'

Hard codes valuable information in your code and does pose a security risk. An alternative is to store your valuable information (Api keys, database passwords etc.) on your local machine as environment variables. E.g. on linux you could add:

export DB_USER = "my_db_user" export DB_PASS = "my_db_password"

to your .bash_profile. Or there is usually an option with your hosting provider to set environment variables e.g. with AWS elastic beanstalk you can add env variables under your configuration on console.

Then to retrieve your information import os:

import os db_user = os.environ.get['DB_USER'] db_password = os.environ.get['DB_PASS']