Keep Secret Keys Out

Question

One of the causes of the local_settings.py anti-pattern is that putting SECRET_KEY, AWS keys, etc.. values into settings files has problem:

• Secrets often shoul

Answer 1

Here's one way to do it that is compatible with deployment on Heroku:

1. Create a gitignored file named .env containing:

   export DJANGO_SECRET_KEY = 'replace-this-with-the-secret-key'

2. Then edit settings.py to remove the actual SECRET_KEY and add this instead:

   SECRET_KEY = os.environ['DJANGO_SECRET_KEY']

3. Then when you want to run the development server locally, use:

   source .env
python manage.py runserver

4. When you finally deploy to Heroku, go to your app Settings tab and add DJANGO_SECRET_KEY to the Config Vars.