0

So in being a newb to Django I accidentally committed my secret key to a private repository that I have for my website. Considering that I intend to use this site for business purposes, I want to make sure that it is secure as possible. Do I need to generate a whole new Django Key? Or could I possibly just edit lets say, 10 characters of the secret key, add the edited secret key to my .env file, add the .env to my .gitignore file and call it a day?

I recognize this is not the best approach. I will most likely completely generate a new secret key but I thought this might be an effective quick fix.

I figure that by doing it this way the new secret key is still randomly generated and the old one is still available on github but useless to anyone who happens to scrape it.

FYI I am using python-decouple with a .env file which is where I save all my secret variables (aws info, secret key, db info, etc.). I have separate settings files (production.py, development.py, common_settings.py) where both production.py and development.py import all of the data from common_settings.py. I just happened to forget to delete the original settings.py file before I made my first commit.

Tom H
  • 175
  • 3
  • 12

4 Answers4

5

This is normal so don't worry, and doesn't necessarily require stack overflow to answer.

SECRET_KEY has always 50 characters of length.

So you can write a method that generates a random string of characters or use a site like this https://www.miniwebtool.com/django-secret-key-generator/

Aaron Kazah
  • 157
  • 4
  • 1
    Yeah I know its a pretty simple fix. I guess I was just afraid that when you create a django project that it might hide the secret key in some other location that could cause problems down the line. Wanted to make sure I didn't change it and then the whole site won't work haha – Tom H Jul 03 '19 at 16:58
3

Do I need to generate a whole new Django Key? Or … add the .env to my .gitignore file

Both. First remove settings.py from the history, then generate a new key, save it in .env and add the .env to your .gitignore.

phd
  • 82,685
  • 13
  • 120
  • 165
  • Why not just edit the SECRET_KEY variable in .env? The .env file has never been committed so is there a reason to completely remove the .env file? – Tom H Jul 03 '19 at 16:57
  • You've said "*committed my secret key*" so the first thing you need to get rid of that part of the history. Because if you push all commits will be pushed including the committed secret key. – phd Jul 03 '19 at 16:58
  • Your .env file may contain other sensitive information, never leave them in your history. – Aaron Kazah Jul 03 '19 at 16:59
  • Sorry I had a hard time wording my question/ explaining the situation. 1. I created my django project and created separate settings files 2. Added all secret information to .env and then added .env to my .gitignore file 3. I made a commit, except I never deleted the original settings.py file which still had the secret key inside of it and I had not added it to the .gitignore file (The settings.py file was not configured to take in the secret key from the .env file at the time of the commit.) – Tom H Jul 03 '19 at 17:08
  • So it doesn't seem like you've committed the secret key so I don't see any problems at all. My answer is about secret key that has been committed. – phd Jul 03 '19 at 17:10
  • Haha I am doing a poor job of communicating. The settings.py file was committed and it had SECRET_KEY= rather than SECRET_KEY=config('SECRET_KEY'). But it doesn't matter. Your answer helped. I really appreciate it. – Tom H Jul 03 '19 at 17:20
  • I changed the name of the file in the answer. – phd Jul 03 '19 at 17:21
0

I ended up just creating a new key from the site @aaronkazah provided. If you look in the comments under @phd you'll get better clarification on my issue. Not a good reason to provide a quick fix when the best way to do it is to just create a new key. It took seconds. Thanks for the help everyone.

Tom H
  • 175
  • 3
  • 12
0

I have tried the same thing but unfortunately it doesn't work for me.

  1. Install dotenv package: pip install -U python-dotenv
  2. Import this package and call your .env variable: from dotenv import load_dotenv

Example is below

from dotenv import load_dotenv   #for python-dotenv method

load_dotenv()                    #for python-dotenv method

import os 

user_name = os.environ.get('USER')
password = os.environ.get('password')

print(user_name, password)

Output

username password
Otabek Butcher
  • 545
  • 8
  • 19