Python/Django - Avoid saving passwords in source code

Question

I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py f

Answer 1

Although environment variables are convenient for a lot of configuration, putting passwords in environment variables is not secure. With the alternative being a configuration file outside regular version control, here are some various cons:

• Environment variables might accidentally leak (through debugging channels that might get transmitted via plaintext, to end-users, or to unexpected places in the filesystem like ~/.*sh_history).

• Configuration files might accidentally get added to version control and end up in repositories accessible to people without deployment privileges.

Read the blog post Environment Variables Considered Harmful for Your Secrets for more arguments: The environment is accessible to the entire process, is inherited to child (and possibly 3rd-party) processes, and there exists no clear assumption among external developers to treat environment variables as confidential.

The simplest configuration file format in Python is simply a Python module.