Hi Uri,
Never expose whole settings anytime. settings is always includes sensitive
data. At least DB access key and Django's secret value.
This attitude is highly vulnerable. Anyone could access those sensitive
data via response headers if you don't play settings without cautious.

Saygılarımla,
Sencer HAMARAT



‪On Fri, May 29, 2020 at 7:11 AM ‫אורי‬‎ <u...@speedy.net> wrote:‬

> Django users,
>
> There was a discussion in Stack Overflow related to an answer of mine -
> how to access settings from templates in Django [
> https://stackoverflow.com/a/53953578/1412564]. And I would like to know -
> is it generally unsafe to expose all my settings to templates and why?
> Should I use the updated answer and expose only specific settings to
> templates? Because if a hacker can change my templates, they can also
> change my .py files, and then they can give themselves any access they want
> to. So what is better - expose all my settings to templates or only
> specific settings which I consider safe?
>
> Thanks,
> Uri.
> אורי
> u...@speedy.net
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CABD5YeEmHtPHMKs7ub42eeTQR8_XfDUGwyCtn9XGmvZ0JyFfwQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CABD5YeEmHtPHMKs7ub42eeTQR8_XfDUGwyCtn9XGmvZ0JyFfwQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CACp8TZhg3ES2eaUaqP0GYAXyBiWW%2BzWgB2-QEJHX%3DQi13-C5BA%40mail.gmail.com.

Reply via email to