0

In my Django project I have an .env file which holds my DJANGO_SECRET_KEY environment variable:

export DJANGO_SECRET_KEY=dummysecretkey123

I added a reference to the .env file in my .gitignore file before I initialized the repo, so the SECRET_KEY should not be visible in any repo tracked by git

In my settings.py I set my SECRET_KEY as follows:

SECRET_KEY = env.str("DJANGO_SECRET_KEY")

For deployment on Heroku I added SECRET_KEY via Config Vars in the Heroku Dashboard - everything worked as expected.

Then out of curiosity, I changed the SECRET_KEY in Heroku to a wrong value to see its effect. To my surprise the app was still online and working. I restared all dynos, but nothing changed. Then I checked the Heroku server's environment variables via heroku run python manage.py shell > import os > print(os.environ) and could see the deliberately set wrong value for SECRET_KEY

What am I missing here? Isn't the purpose of the SECRET_KEY to protect my app, meaning that if it is not set properly, the app should not be working?

Daniel
  • 963
  • 1
  • 12
  • 29
  • Does this answer your question? [Effects of changing Django's SECRET\_KEY](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key) – Sumithran Aug 16 '21 at 09:59
  • 1
    Thanks - so if I understand correctly: A wrong SECRET_KEY does not inhibit the app from running, because this is not its purpose in the first place, correct? – Daniel Aug 16 '21 at 10:09

1 Answers1

0

The purpose of SECRET_KEY in django is described in official documentation.

It states:

The secret key is used for:

sessions,

messages,

PasswordResetView tokens,

cryptographic signing.

Kholdarbekov
  • 973
  • 1
  • 10
  • 28