It depends on your hosting situation. If another user has access to running scripts under the web server user, then it is trivial for them to write a script which will read your settings file.
The only *really* safe bet in my opinion, is to get on a dedicated server (or vps). Food for thought. On Fri, Feb 12, 2010 at 9:50 AM, Gunnlaugur Thor Briem <[email protected] > wrote: > On Fri, Feb 12, 2010 at 12:49 PM, Rishi Ramraj < > [email protected]> wrote: > >> While not directly related to wsgi, I presume you all have this >> problem; how do you protect sensitive configuration information like >> database connection strings when using WSGI? The best method I've >> found to date is to put the sensitive information in my .wsgi file. >> Then set the file level permissions so that my web server is the only >> user that can execute it (all other users can't read write or >> execute). Has anyone found any (better) alternatives? >> > > I put the DB connection info in another file like .dbconn and load that > from the wsgi file (or Django settings.py); that way only this little file > needs securing, and I can check all my code into version control without > including the connection string. > > - Gulli > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
