Re: secret api keys

2022-10-27 Thread Rajesh Kr. Paul 
If you set debug=true, that's show only errors in url, views, and
templates. Have no chance to show your secret key, which you placed in
settings.py file.

On Thu, 27 Oct, 2022, 5:04 am Muhammad Juwaini Abdul Rahman, <
juwa...@gmail.com> wrote:

> People can't see it straight away.
>
> However, let's say if you forgot to set debut = False, they can see it.
> Not straight away, but very trivial.
>
> It is advisable to put your secret keys in external file (.env for
> example) and use library like django-environ to get the value.
>
> On Wed, 26 Oct 2022 at 23:09, john fabiani  wrote:
>
>> Hi,
>>
>> Maybe a dumb question but if I add secret keys in my settings.py file
>> (or should it be placed) will they be protected from the front end side
>> (the part that is displayed to the user of the website).
>>
>> For example I have a secret key to access Authorize Net.  Will it be
>> protected from someone opening the website and using chrome to see the
>> source?
>>
>> Johnf
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAFKhtoSOzw7DcJmnXOrszXrv5OZ9Dt%2BJ%3D%2BAQaJhGczGL3-e%3DQQ%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAGw%2B2wJgyYB-9zD5ccs%3Daoq0R--94AtdrZvweCYm1oeomPMWsA%40mail.gmail.com.

Re: secret api keys

2022-10-26 Thread Michael Rohan 
Hi,

This is one of the drivers for my package:

https://django-yamlconf.readthedocs.io/en/latest/

Externalize setting values to yaml files.

Take care,
Michael

On Wed, Oct 26, 2022 at 9:45 PM Mike Dewhirst  wrote:

> On 27/10/2022 3:32 pm, Mike Dewhirst wrote:
>
> Not a dumb question but frequently asked.
>
> There are two approaches - one is to export your secrets as environment
> vars and read them from there. The other is to keep them in disk files and
> read them as required.
>
> In both cases the idea is to keep secrets out of your code and thus out of
> your repo.
>
> I prefer the latter approach.
>
>
> Further to that, the secrets are consumed by your code on the server which
> constructs html from a template rendered with values inserted by your code
> and sends that all to the browser which made the request.
>
> So if you don't include your secrets in your constructed html they won't
> appear in the browser and will remain secret.
>
> My preferred approach (above) is only secure if the files containing the
> secrets are stored on the server in a location accessible to the web server
> (Apache perhaps in your case) but access is denied to a browser.
>
> In my case, I use a "creds" directory which satisfies that scenario.
>
>
> Cheers
>
> Mike
>
>  Original message ----
> From: john fabiani  
> Date: 27/10/22 02:09 (GMT+10:00)
> To: django-users@googlegroups.com
> Subject: secret api keys
>
> Hi,
>
> Maybe a dumb question but if I add secret keys in my settings.py file
> (or should it be placed) will they be protected from the front end side
> (the part that is displayed to the user of the website).
>
> For example I have a secret key to access Authorize Net.  Will it be
> protected from someone opening the website and using chrome to see the
> source?
>
> Johnf
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au
> <https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au?utm_medium=email_source=footer>
> .
>
>
>
> --
> Signed email is an absolute defence against phishing. This email has
> been signed with my private key. If you import my public key you can
> automatically decrypt my signature and be sure it came from me. Just
> ask and I'll send it to you. Your email software can handle signing.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au
> <https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au?utm_medium=email_source=footer>
> .
>


-- 
Michael Rohan
mro...@acm.org

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAOCsNFjA_5G6SgVtquiqAxxMp0yOaiKE67fuVZ%2BSCN9%2B9Q1mQQ%40mail.gmail.com.

Re: secret api keys

2022-10-26 Thread Mike Dewhirst 

On 27/10/2022 3:32 pm, Mike Dewhirst wrote:

Not a dumb question but frequently asked.

There are two approaches - one is to export your secrets as 
environment vars and read them from there. The other is to keep them 
in disk files and read them as required.


In both cases the idea is to keep secrets out of your code and thus 
out of your repo.


I prefer the latter approach.


Further to that, the secrets are consumed by your code on the server 
which constructs html from a template rendered with values inserted by 
your code and sends that all to the browser which made the request.


So if you don't include your secrets in your constructed html they won't 
appear in the browser and will remain secret.


My preferred approach (above) is only secure if the files containing the 
secrets are stored on the server in a location accessible to the web 
server (Apache perhaps in your case) but access is denied to a browser.


In my case, I use a "creds" directory which satisfies that scenario.



Cheers

Mike

 Original message 
From: john fabiani 
Date: 27/10/22 02:09 (GMT+10:00)
To: django-users@googlegroups.com
Subject: secret api keys

Hi,

Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).

For example I have a secret key to access Authorize Net.  Will it be
protected from someone opening the website and using chrome to see the
source?

Johnf

--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.


--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au 
<https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au?utm_medium=email_source=footer>.



--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au.


OpenPGP_signature
Description: OpenPGP digital signature

secret api keys

2022-10-26 Thread Mike Dewhirst 

Not a dumb question but frequently asked.

There are two approaches - one is to export your secrets as environment 
vars and read them from there. The other is to keep them in disk files 
and read them as required.


In both cases the idea is to keep secrets out of your code and thus out 
of your repo.


I prefer the latter approach.

Cheers

Mike

 Original message 
From: john fabiani 
Date: 27/10/22 02:09 (GMT+10:00)
To: django-users@googlegroups.com
Subject: secret api keys

Hi,

Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).

For example I have a secret key to access Authorize Net.  Will it be
protected from someone opening the website and using chrome to see the
source?

Johnf

--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.


--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au.


OpenPGP_signature
Description: OpenPGP digital signature

Re: secret api keys

2022-10-26 Thread Muhammad Juwaini Abdul Rahman 
People can't see it straight away.

However, let's say if you forgot to set debut = False, they can see it. Not
straight away, but very trivial.

It is advisable to put your secret keys in external file (.env for example)
and use library like django-environ to get the value.

On Wed, 26 Oct 2022 at 23:09, john fabiani  wrote:

> Hi,
>
> Maybe a dumb question but if I add secret keys in my settings.py file
> (or should it be placed) will they be protected from the front end side
> (the part that is displayed to the user of the website).
>
> For example I have a secret key to access Authorize Net.  Will it be
> protected from someone opening the website and using chrome to see the
> source?
>
> Johnf
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAFKhtoSOzw7DcJmnXOrszXrv5OZ9Dt%2BJ%3D%2BAQaJhGczGL3-e%3DQQ%40mail.gmail.com.

Re: secret api keys

2022-10-26 Thread Lakshyaraj Dash 
No one can see your secret keys. It's a far thought, no can can see on what
language you server side is written in.

On Wed, Oct 26, 2022, 20:39 john fabiani  wrote:

> Hi,
>
> Maybe a dumb question but if I add secret keys in my settings.py file
> (or should it be placed) will they be protected from the front end side
> (the part that is displayed to the user of the website).
>
> For example I have a secret key to access Authorize Net.  Will it be
> protected from someone opening the website and using chrome to see the
> source?
>
> Johnf
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAF7qQgAdG5_Hh1oP6jw1wwMBwNw9-kxpp7yjGom-VPxTKA8P%3DA%40mail.gmail.com.

secret api keys

2022-10-26 Thread john fabiani 

Hi,

Maybe a dumb question but if I add secret keys in my settings.py file 
(or should it be placed) will they be protected from the front end side 
(the part that is displayed to the user of the website).


For example I have a secret key to access Authorize Net.  Will it be 
protected from someone opening the website and using chrome to see the 
source?


Johnf

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.