Home > Software engineering >  Is this file safe to commit to a respository or will it reveal my secret key?
Is this file safe to commit to a respository or will it reveal my secret key?

Time:10-12

I am currently trying to set up a secure configuration for my secret key. I am following "Flask Web Development" by Miguel Grinberg. In chapter 7, he provides the example of a config.py file.

In the config.py he defines the SECRET_KEY in the following way:

Class Config:
   SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'

From my understanding, this file functions by first looking in the ENV for the value of 'SECRET_KEY' and failing to find one, provides a default secret_key with 'hard to guess string'.

Is this file safe to commit to a repository or will it undermine the encryption of cookies if I dont have an ENV-defined secret_key?

If I deployed this code and ran the web app with a ENV not including 'SECRET_KEY', people would be able to find 'hard to guess string' in my repository use that secret_key, right?

CodePudding user response:

The safest way to avoid making a mistake is to remove or 'hard to guess string', then ensure that the .env in your production environment has the production secret key, and the .env in your develoment environment uses a separate secret. You'll want add .env to your .gitignore so that it doesn't accidentally get checked in.

If you haven't gotten there yet, Grinberg adds python_dotenv in chapter 15.

Page link:https//www.codepudding.com/Softwareengineering/148821.html

Prev:Python request.url not returning full url that is shown in the browser
Next:Change parts of code automatically on deployment
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding