I'm trying to run a Django application from a cloned repository and I noticed that it has environment variables stored in the settings.py file(namely: the SECRET_KEY and DEBUG).
When running the application, it gives me the following error:
django.core.exceptions.ImproperlyConfigured: Set the SECRET_KEY environment variable
I understand that Django cannot run without it but I have the following doubts regarding this problem.
Should I provide my own SECRET_KEY and declare it inside a .env file.
Also, is it necessary to have the same SECRET_KEY as the original project file did?
CodePudding user response:
First, welcome to SO!
Second, it's best practice to store the secret key and other sensitive information (database password and so on) in environment variables. However, if you're just cloning a repo to practice in your local machine, you can use the cloned one until you think about deploying and version control.
One way you can do that quite easy in my opinion is django-environ. Check it out: https://django-environ.readthedocs.io/en/latest/
Regarding your question about the secret key, there is a reason why it is called a secret key: keep it a secret! In development, it's somewhat fine to temporarily use the cloned one but always make sure to keep the key secret for production. If you use version control (such as Git) the .env file should not be included to avoid incidents.
CodePudding user response:
Should I provide my own SECRET_KEY and declare it inside a .env file.
Yes, you can either set the required environment variable in the shell where you run the django server or put it in a .env
file.
Also, is it necessary to have the same SECRET_KEY as the original project file did?
No, you don't need the same value as the original project did. SECRET_KEY
is used to salt. SECRET_KEY
is used for cryptographic siging in sessions, password reset tokens, etc. For more detials see the documentation. The only restriction is that you must maintain the same SECRET_KEY
for an instance of the django app. Otherwise sessions and other signed data will be invaliated.