Hi Tom You are definitely not overthinking this. it's important.
This is an area that has baked my noodle for a while now and I always am left wondering "Do I have this right?" "Am I vulnerable to attack?" ..... and I still haven't figured it out completely. It's like static files I never really feeel like I get it entirely :) Firstly you should never need to store a password/token/secret in Source Control ever. If you are stop and think there must be a better way. I use environment variables .env to store my secrets but the trick is ALWAYS put that in your .gitignore file. If you start a new git repository there is an option to create a .gitignore file for Python that is a great starting point. To complement my *.env* file it has a .env.example file that I DO put in source control with a dummy password. .env file: MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72 .env.example: MAILGUN_API_KEY=ThisIsNotARealToken So when I do local development I can populate my .env fie with local dev secrets. For production deployments, I use *Ansible *for which I provide production tokens and secrets in a separate file also not in source control. The Ansible deployment requires an ssh password that I store in a Password Manager that has two-factor authentication. The docker-compose file can read environment variables from the .env file. Have a look at Django-Cookiecutter and see how they do it. That helped me a lot when I started out cheers Chris On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote: > > Hi there, I'm following the guidelines by making sure the environment > variables are stored outside of the settings.py files. > > The project is "dockerised" and so the environment variables have been > stored in files *docker-compose.yml* and *docker-compose-prod.yml*. > > This includes things like the project's secret key, API keys, and database > passwords. > > *My question is: * > • Just because environment variables are stored in .yml files, won't they > be equally insecure the moment I commit the project folder to a git repo > (and especially if I push that repo to GitHub)? > e.g. the Secret Key will forevermore be stored in the git repo (in earlier > versions, even if I later move it to another file in subsequent commits). > > Is there an even more secure way of storing environment variables? Or am I > overthinking it (as I'm the only developer and the GitHub repo is set to > Private)? > > Many thanks in advance for your help. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com.
