Python/Django - Avoid saving passwords in source code

Question

I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py file.

Storing my password in plain text would open me up to a number of security problems, particularly because this is an open source project and my source code would be version controlled (through git, on Github, for the entire world to see!)

The question is, what would be the best practice for securely writing a settings.py file in a a Django/Python development environment?

score 48 · Accepted Answer · answered Mar 10 '13 at 21:20

48

Although I wasn't able to come across anything Python-specific on stackoverflow, I did find a website that was helpful, and thought I'd share the solution with the rest of the community.

The solution: environment variables.

Note: Although environment variables are similar in both Linux/Unix/OS X and in the Windows worlds, I haven't tested this code on a Windows machine. Please let me know if it works.

In your bash/sh shell, type:

export MYAPP_DB_USER='myapp'
export MYAPP_DB_PASSWORD='testing123'

And in your Django settings.py file:

DATABASE_USER = os.environ.get("MYAPP_DB_USER", '')
DATABASE_PASSWORD = os.environ.get("MYAPP_DB_PASSWORD", '')

In this case, the username and password would default to an empty string if the environment variable didn't exist.

answered Mar 10 '13 at 21:20

Ashwin Balamohan

3,303
2
25
47

7

...and, the file with the passwords you set to .gitignore – Brandon Bertelsen Mar 10 '13 at 21:27
The Two Scoops of Django book provides some code for raising an exception in case the environment variables don't exist in chapter 5: https://django.2scoops.org/ – Mar 10 '13 at 22:00
1

Specifically see the Two Scoops code [on their github](https://github.com/twoscoops/django-twoscoops-project/blob/master/project_name/project_name/settings/production.py) – Michael C. O'Connor Mar 10 '13 at 22:02
In this case, the passwords wouldn't have been stored at the file level at all. – Ashwin Balamohan Mar 10 '13 at 22:03
1

@MichaelC.O'Connor damn, I was looking for that heh – Mar 11 '13 at 01:14
3

The downside of this approach is that error report emails leak environment variables. – user May 18 '15 at 05:12
Another downside is that setting environment variables directly in shell leaks into ~/.*sh_history. – sshine Dec 08 '16 at 15:01
2

what if this project needs to be hosted in a cloud server? how would i export the environment variable there? – QuestionEverything Sep 04 '17 at 05:40

score 3 · Answer 2 · edited May 23 '17 at 12:09

Although environment variables are convenient for a lot of configuration, putting passwords in environment variables is not secure. With the alternative being a configuration file outside regular version control, here are some various cons:

Environment variables might accidentally leak (through debugging channels that might get transmitted via plaintext, to end-users, or to unexpected places in the filesystem like ~/.*sh_history).
Configuration files might accidentally get added to version control and end up in repositories accessible to people without deployment privileges.

Read the blog post Environment Variables Considered Harmful for Your Secrets for more arguments: The environment is accessible to the entire process, is inherited to child (and possibly 3rd-party) processes, and there exists no clear assumption among external developers to treat environment variables as confidential.

The simplest configuration file format in Python is simply a Python module.

score 0 · Answer 3 · answered Jan 07 '20 at 17:31

This is an old question and the person who asked I'm sure has found a way to deal with this, but I was looking this up myself and figured since the answers here weren't quite the solution I was looking for I might add what I did for any other people potentially asking the same question.

What I did was use getpass() to have the settings file ask for the password when run at startup.

from getpass import getpass

#[...]

    DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql', #or whatever DB you use
        'NAME': 'mydb',
        'USER': 'myuser',
        'PASSWORD': getpass(),
        'HOST': '',
        'PORT': '',
    }
}

score 0 · Answer 4 · answered Jan 21 '20 at 15:08

Having something like this in your settings.py:

db_user = 'my_db_user' db_password = 'my_db_password'

Hard codes valuable information in your code and does pose a security risk. An alternative is to store your valuable information (Api keys, database passwords etc.) on your local machine as environment variables. E.g. on linux you could add:

export DB_USER = "my_db_user" export DB_PASS = "my_db_password"

to your .bash_profile. Or there is usually an option with your hosting provider to set environment variables e.g. with AWS elastic beanstalk you can add env variables under your configuration on console.

Then to retrieve your information import os:

import os db_user = os.environ.get['DB_USER'] db_password = os.environ.get['DB_PASS']

you sure while **export DB_USER = "my_db_user"** have to **my_db_user** in str — Lord-shiv, Apr 08 '21 at 14:57

Python/Django - Avoid saving passwords in source code

4 Answers4

Linked