Re: secret api keys
Hi, This is one of the drivers for my package: https://django-yamlconf.readthedocs.io/en/latest/ Externalize setting values to yaml files. Take care, Michael On Wed, Oct 26, 2022 at 9:45 PM Mike Dewhirst wrote: > On 27/10/2022 3:32 pm, Mike Dewhirst wrote: > > Not a dumb question but frequently asked. > > There are two approaches - one is to export your secrets as environment > vars and read them from there. The other is to keep them in disk files and > read them as required. > > In both cases the idea is to keep secrets out of your code and thus out of > your repo. > > I prefer the latter approach. > > > Further to that, the secrets are consumed by your code on the server which > constructs html from a template rendered with values inserted by your code > and sends that all to the browser which made the request. > > So if you don't include your secrets in your constructed html they won't > appear in the browser and will remain secret. > > My preferred approach (above) is only secure if the files containing the > secrets are stored on the server in a location accessible to the web server > (Apache perhaps in your case) but access is denied to a browser. > > In my case, I use a "creds" directory which satisfies that scenario. > > > Cheers > > Mike > > Original message > From: john fabiani > Date: 27/10/22 02:09 (GMT+10:00) > To: django-users@googlegroups.com > Subject: secret api keys > > Hi, > > Maybe a dumb question but if I add secret keys in my settings.py file > (or should it be placed) will they be protected from the front end side > (the part that is displayed to the user of the website). > > For example I have a secret key to access Authorize Net. Will it be > protected from someone opening the website and using chrome to see the > source? > > Johnf > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com > . > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au?utm_medium=email_source=footer> > . > > > > -- > Signed email is an absolute defence against phishing. This email has > been signed with my private key. If you import my public key you can > automatically decrypt my signature and be sure it came from me. Just > ask and I'll send it to you. Your email software can handle signing. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au?utm_medium=email_source=footer> > . > -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFjA_5G6SgVtquiqAxxMp0yOaiKE67fuVZ%2BSCN9%2B9Q1mQQ%40mail.gmail.com.
ANN: django-yamlconf v1.4.0 is available
Hi Folks, Have released v1.4.0 for django-yamlconf, a module supporting Django settings via YAML files (searching up the directory hierarchy, e.g., in a K8s environment, adding a "final" set of settings via "/APPLICATION.yaml", see the documentation a https://django-yamlconf.readthedocs.io/en/latest/ for more detailed info. The updates for the this release are: - Added support for JSON encoded environment values if decorated with ":jsonenv". If JSON decoding fails (invalid JSON string), the value is used as is. This allows the definition of more complex values via the environment, list, dictionaries, etc. This can be used in K8s environments, e.g., Concourse (for me). - Added a `CODE-OF-CONDUCT` file for contributors. Take care, Michael -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFhSOuHUGur-ruPmvFrZEJ7mndGfd0B9x5cgCKV3Cn%3D4pQ%40mail.gmail.com.
Re: Django SECRET KEY
Hi Folks, An extension of this local file is the project django-yamlconf (See https://django-yamlconf.readthedocs.io/en/latest/). It allows general over-ride of settings. It is my project (full disclosure). Take care, Michael. On Wed, Nov 4, 2020 at 3:51 PM Mike Dewhirst wrote: > On 5/11/2020 1:54 am, Kegan Ronholt wrote: > > What is the best practice for hiding SECRET key in settings.py in > > production. I am finding all sorts of different ways to do it, but > > none seem to work. > > I keep it in a file left out of the repository but in a "standard" > location known to the web server. > > I have a simple utility to read the file into a list and just use a list > item as the secret key. I like it because there are typicaly half a > dozen different secrets per project. They include database credentials, > email server details, captcha keys and so on. It is handy having a > system to get all such stuff without needing to store it unsafely. I > also like using the top few lines for credentials and lower lines for > comments. > > My standard location for such files includes a directory name based on > project name established in the settings so I don't have to think too > hard to manage credentials of any sort when creating new projects. > > My view is that the only way secrecy can be compromised is if the server > itself is pwned. At that point you have to start again anyway. > > Cheers > > Mike > > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Django users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to django-users+unsubscr...@googlegroups.com > > <mailto:django-users+unsubscr...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com > > < > https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email_source=footer > >. > > > -- > Signed email is an absolute defence against phishing. This email has > been signed with my private key. If you import my public key you can > automatically decrypt my signature and be sure it came from me. Just > ask and I'll send it to you. Your email software can handle signing. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au > . > -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFiQ%2BoTW-gSjh37jg0CBvFOw6kc3jrMvfDTB15LtP0BLiQ%40mail.gmail.com.
Re: sphinx inside
Hi,
I believe it's probably easiest to simply create the Sphinx html files in
one of the static directories (probably should add to the top level one if
you have one, or one of the apps if the docs are app specific) and just let
the static file handling serve them. You could use whitenoise to have
Django serve them (if you want to go that route).
Take care,
Michael.
On Friday, May 1, 2020 at 1:02:59 PM UTC-7, bengoshi wrote:
>
> I tried a
>
> path('docs/', TemplateView.as_view(template_name="docs/html/index.html"))
>
> then I can see the index.html but without css and no link works..
>
> Greetings
>
> bengoshi
> On 5/1/20 4:25 PM, Motaz Hejaze wrote:
>
> Make a view that returns a template only , and give it a url
>
> On Fri, 1 May 2020, 10:09 am Kai Kobschätzki, > wrote:
>
>> Hi Amit,
>>
>> thanks for your response. But in this way, I can't use the sphinx
>> templates, the links are not correct and after every new make html (or
>> using sphinx-autobuild) I have to copy the changed or new files. Are there
>> no more likable way?
>>
>> Greetings
>>
>> bengoshi
>> On 5/1/20 1:53 AM, Amit Gupta wrote:
>>
>> Hii
>> If u want to just add your file in your django project u can probably
>> copy and paste the file in your project file and after that you can
>> successfully use your file in the project by just writing the name of your
>> file with correct extension
>>
>> On Fri, 1 May, 2020, 1:29 AM Kai Kobschätzki, > > wrote:
>>
>>> Hi,
>>>
>>> I installed sphinx and I get an documentation in
>>> project_main/docs/_build/html, starting with html/index.html. In so far
>>> - fine.
>>>
>>> Now I want to present this documents inside my project so I can see in
>>> the nav-bar a "doc" where I can see them. But I have no idea how to
>>> start it. I tried it with a simple function in a view inside an app, but
>>> then I need a symbolic-link for getting the index.html, but then I can't
>>> get the rest of the documentation.
>>>
>>> I tried to google it but I only find tutorials for using sphinx to make
>>> a documentation for the django-project but I didn't find a tip how I can
>>> realize it.
>>>
>>> Could anyone give a kick-off for it or a link for a tutorial? Perhaps I
>>> have only the wrong keywords..
>>>
>>> Greetings
>>>
>>> bengoshi
>>>
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django...@googlegroups.com .
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/17689333-b06c-1dfc-1f18-341689914c42%40gmail.com
>>> .
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django...@googlegroups.com .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAGCPjY-tNBKxj%3Dk-e9ew_6DtySK%2BDPE1QJyyMsXi%2Bjt4f-qA4g%40mail.gmail.com
>>
>>
>> .
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django...@googlegroups.com .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/6e32e790-46bd-bb1b-24a2-3e765f0a273a%40gmail.com
>>
>>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django...@googlegroups.com .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAHV4E-c741j1swLvKEmjtrmJeC5RfDzxV5XEBvpvsZLZ8W9FPg%40mail.gmail.com
>
>
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/692d8b57-8103-4f2b-9ad9-c8390194ac26%40googlegroups.com.
ANN: django-yamlconf v1.2.1 is available
Hi Folks, Have release v1.2.1 for django-yamlconf, a module supporting Django settings via YAML files (searching up the directory hierarchy, e.g., in a K8s environment, adding a "final" set of settings via "/APPLICATION.yaml", see the documentation a https://django-yamlconf.readthedocs.io/en/latest/ for more detailed info. The updates for the this release are: - Tagged with ``v1.2.1``. - Fixed the long description which caused failures for "pip install" of v1.2.0. Take care, Michael. -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFjR4kVsisswSPkOUWD6zVjfK%3DBZQJ9yQ5R7tp9mpPEyGg%40mail.gmail.com.
ANN: django-yamlconf v1.2.0 is available
Hi Folks, Have release v1.2.0 for django-yamlconf, a module supporting Django settings via YAML files (searching up the directory hierarchy, e.g., in a K8s environment, adding a "final" set of settings via "/APPLICATION.yaml", see the documentation a https://django-yamlconf.readthedocs.io/en/latest/ for more detailed info. The updates for the this release are: - Tagged with ``v1.2.0``. - Updates to support Django 3.0: Simply use "`six`" instead of the support "`django.utils.six`" package and use "`render`" instead of "`render_to_response`". - `ycsysfiles` should generate executable files if the source template file is executable. - Ensure the absolute path is used when searching for YAML control files. This issue is seen when running Django apps under uWSGI control. - Added the built-in attribute ``CPU_COUNT`` (primarily for use in uWSGI ini files) giving the number of available CPUs. Take care, Michael. -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFhTf1Ar3paJ-3tJdVVZ1qO%2B-FWEzDOkiDtQwOBHJwiKRw%40mail.gmail.com.
Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?
Hi, Just fyi, it was, in part, to solve this problem that I implemented the django-yamlconf module: https://django-yamlconf.readthedocs.io/en/latest/ While getting the data into either a private yaml file or env variable in the container isn't addressed, it does allow injecting the values into the Django app without modifying the committed sources. Take care, Michael. On Thu, Jan 30, 2020 at 6:46 AM Chris Wedgwood wrote: > Hi Tom > > You are definitely not overthinking this. it's important. > > This is an area that has baked my noodle for a while now and I always am > left wondering "Do I have this right?" "Am I vulnerable to attack?" . > and I still haven't figured it out completely. It's like static files I > never really feeel like I get it entirely :) > > Firstly you should never need to store a password/token/secret in Source > Control ever. If you are stop and think there must be a better way. > > I use environment variables .env to store my secrets but the trick is > ALWAYS put that in your .gitignore file. If you start a new git repository > there is an option to create a .gitignore file > for Python that is a great starting point. > > To complement my *.env* file it has a .env.example file that I DO put in > source control with a dummy password. > > .env file: > > MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72 > > .env.example: > > MAILGUN_API_KEY=ThisIsNotARealToken > > So when I do local development I can populate my .env fie with local dev > secrets. > > For production deployments, I use *Ansible *for which I provide > production tokens and secrets in a separate file also not in source control. > > The Ansible deployment requires an ssh password that I store in a Password > Manager that has two-factor authentication. > > The docker-compose file can read environment variables from the .env file. > > Have a look at Django-Cookiecutter and see how they do it. That helped me > a lot when I started out > > cheers > Chris > > > > > > > > > > > > On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote: >> >> Hi there, I'm following the guidelines by making sure the environment >> variables are stored outside of the settings.py files. >> >> The project is "dockerised" and so the environment variables have been >> stored in files *docker-compose.yml* and *docker-compose-prod.yml*. >> >> This includes things like the project's secret key, API keys, and >> database passwords. >> >> *My question is: * >> • Just because environment variables are stored in .yml files, won't they >> be equally insecure the moment I commit the project folder to a git repo >> (and especially if I push that repo to GitHub)? >> e.g. the Secret Key will forevermore be stored in the git repo (in >> earlier versions, even if I later move it to another file in subsequent >> commits). >> >> Is there an even more secure way of storing environment variables? Or am >> I overthinking it (as I'm the only developer and the GitHub repo is set to >> Private)? >> >> Many thanks in advance for your help. >> > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com?utm_medium=email_source=footer> > . > -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFhLqucCRWb%3DbsneUdKVuWkNqQR%3DKL_P3zVXAAthzDxAPw%40mail.gmail.com.
ANN: django-yamlconf 1.1.0
Hi Folks, Have release v1.1.0 for django-yamlconf, a module supporting Django settings via YAML files (searching up the directory hierarchy, e.g., in a K8s environment, adding a "final" set of settings via "/APPLICATION.yaml", see the documentation a https://django-yamlconf.readthedocs.io/en/latest/ for more detailed info. The primary driver was the update to PyYAML load function to require a Loader kwarg. Take care, Michael. -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFjwxeBPMtfRFczc%3Dn%2B5Nku5nShDbFLX-Ukz2y8LxbXxFw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: ANN: django-yamlconf 1.0.0
Hi Folks, Have published to documentation on this module to readthedocs; https://django-yamlconf.readthedocs.io/en/latest/ Take care, Michael. On Mon, Aug 13, 2018 at 5:39 PM Michael Rohan wrote: > Hi Folks, > > > > The package Django-yamlconf 1.0.0 has been uploaded to pypi. There are a > number of YAML (and other formats) support modules for managing Django > settings. The main difference here is: > >1. The directory tree is used to store multiple YAML config files with >definitions higher up the tree over-riding definitions lower down (intent >being a committed version for development values, production settings being >in, e.g., “/var/myapp” or mapped into a container). >2. The settings that can be adjust is not constrained: simply add a >definition to a YAML file loaded and it’s available as a setting (the setup >is an import and a load at the end of the settings file) >3. Can set elements within dictionaries in the settings using a dot’ed >notation, e.g., DATABASES.default.NAME: mydb >4. For debugging purposes, a view is available which can be added to >the supported URLs > > > > For more information and deeper documentation, see the GitHub page, > > > > https://github.com/vmware/django-yamlconf > > > > Feedback, bug reports, etc., are welcome. > > > > Take care, > > Michael. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/7db78e8c-d965-4d7f-8067-826468227b6b%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/7db78e8c-d965-4d7f-8067-826468227b6b%40googlegroups.com?utm_medium=email_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFhY_Ge0v95%2B-foVznKF6PUWa8eqxZ76OX_zscMt%2B-av3w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
ANN: django-yamlconf 1.0.0
Hi Folks, The package Django-yamlconf 1.0.0 has been uploaded to pypi. There are a number of YAML (and other formats) support modules for managing Django settings. The main difference here is: 1. The directory tree is used to store multiple YAML config files with definitions higher up the tree over-riding definitions lower down (intent being a committed version for development values, production settings being in, e.g., “/var/myapp” or mapped into a container). 2. The settings that can be adjust is not constrained: simply add a definition to a YAML file loaded and it’s available as a setting (the setup is an import and a load at the end of the settings file) 3. Can set elements within dictionaries in the settings using a dot’ed notation, e.g., DATABASES.default.NAME: mydb 4. For debugging purposes, a view is available which can be added to the supported URLs For more information and deeper documentation, see the GitHub page, https://github.com/vmware/django-yamlconf Feedback, bug reports, etc., are welcome. Take care, Michael. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7db78e8c-d965-4d7f-8067-826468227b6b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
