Hi, This is one of the drivers for my package:
https://django-yamlconf.readthedocs.io/en/latest/ Externalize setting values to yaml files. Take care, Michael On Wed, Oct 26, 2022 at 9:45 PM Mike Dewhirst <mi...@dewhirst.com.au> wrote: > On 27/10/2022 3:32 pm, Mike Dewhirst wrote: > > Not a dumb question but frequently asked. > > There are two approaches - one is to export your secrets as environment > vars and read them from there. The other is to keep them in disk files and > read them as required. > > In both cases the idea is to keep secrets out of your code and thus out of > your repo. > > I prefer the latter approach. > > > Further to that, the secrets are consumed by your code on the server which > constructs html from a template rendered with values inserted by your code > and sends that all to the browser which made the request. > > So if you don't include your secrets in your constructed html they won't > appear in the browser and will remain secret. > > My preferred approach (above) is only secure if the files containing the > secrets are stored on the server in a location accessible to the web server > (Apache perhaps in your case) but access is denied to a browser. > > In my case, I use a "creds" directory which satisfies that scenario. > > > Cheers > > Mike > > -------- Original message -------- > From: john fabiani <jo...@jfcomputer.com> <jo...@jfcomputer.com> > Date: 27/10/22 02:09 (GMT+10:00) > To: django-users@googlegroups.com > Subject: secret api keys > > Hi, > > Maybe a dumb question but if I add secret keys in my settings.py file > (or should it be placed) will they be protected from the front end side > (the part that is displayed to the user of the website). > > For example I have a secret key to access Authorize Net. Will it be > protected from someone opening the website and using chrome to see the > source? > > Johnf > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com > . > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au?utm_medium=email&utm_source=footer> > . > > > > -- > Signed email is an absolute defence against phishing. This email has > been signed with my private key. If you import my public key you can > automatically decrypt my signature and be sure it came from me. Just > ask and I'll send it to you. Your email software can handle signing. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au?utm_medium=email&utm_source=footer> > . > -- Michael Rohan mro...@acm.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFjA_5G6SgVtquiqAxxMp0yOaiKE67fuVZ%2BSCN9%2B9Q1mQQ%40mail.gmail.com.
