Hi, This is one of the drivers for my package:
https://django-yamlconf.readthedocs.io/en/latest/ Externalize setting values to yaml files. Take care, Michael On Wed, Oct 26, 2022 at 9:45 PM Mike Dewhirst <[email protected]> wrote: > On 27/10/2022 3:32 pm, Mike Dewhirst wrote: > > Not a dumb question but frequently asked. > > There are two approaches - one is to export your secrets as environment > vars and read them from there. The other is to keep them in disk files and > read them as required. > > In both cases the idea is to keep secrets out of your code and thus out of > your repo. > > I prefer the latter approach. > > > Further to that, the secrets are consumed by your code on the server which > constructs html from a template rendered with values inserted by your code > and sends that all to the browser which made the request. > > So if you don't include your secrets in your constructed html they won't > appear in the browser and will remain secret. > > My preferred approach (above) is only secure if the files containing the > secrets are stored on the server in a location accessible to the web server > (Apache perhaps in your case) but access is denied to a browser. > > In my case, I use a "creds" directory which satisfies that scenario. > > > Cheers > > Mike > > -------- Original message -------- > From: john fabiani <[email protected]> <[email protected]> > Date: 27/10/22 02:09 (GMT+10:00) > To: [email protected] > Subject: secret api keys > > Hi, > > Maybe a dumb question but if I add secret keys in my settings.py file > (or should it be placed) will they be protected from the front end side > (the part that is displayed to the user of the website). > > For example I have a secret key to access Authorize Net. Will it be > protected from someone opening the website and using chrome to see the > source? > > Johnf > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com > . > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au?utm_medium=email&utm_source=footer> > . > > > > -- > Signed email is an absolute defence against phishing. This email has > been signed with my private key. If you import my public key you can > automatically decrypt my signature and be sure it came from me. Just > ask and I'll send it to you. Your email software can handle signing. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au > <https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au?utm_medium=email&utm_source=footer> > . > -- Michael Rohan [email protected] -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFjA_5G6SgVtquiqAxxMp0yOaiKE67fuVZ%2BSCN9%2B9Q1mQQ%40mail.gmail.com.
