Where to store secret keys DJANGO

I wanted to add a new answer because, as a beginner, the previous accepted answer didn't make a lot of sense to me (it was only one part of the puzzle).

So here's how I store my keys both LOCALLY and in PRODUCTION (Heroku, and others).

Note: You really only have to do this if you plan on putting your project online. If it's just a local project, no need.

1) Install python-dotenv to create a local project environment to store your secret key.

pip install python-dotenv

2) Create a .env file in your base directory (where manage.py is).

YourDjangoProject├───project│   ├───__init__.py│   ├───asgi.py│   ├───settings.py│   ├───urls.py│   └───wsgi.py├───.env├───manage.py└───db.sqlite3

If you have a Heroku project, it should look something like this:

YourDjangoProject├───.git├───project│   ├───__init__.py│   ├───asgi.py│   ├───settings.py│   ├───urls.py│   └───wsgi.py├───venv├───.env├───.gitignore├───manage.py├───Procfile├───requirements.txt└───runtime.txt

3) Add .env to your .gitignore file.

echo .env > .gitignore  # Or just open your .gitignore and type in .env

This is how you keep you're secret key more secure because you don't upload your .env file to git or heroku (or wherever else).

4) Add your SECRET_KEY from your settings.py file into the .env file like so (without quotes)

**Inside of your .env file**SECRET_KEY=qolwvjicds5p53gvod1pyrz*%2uykjw&a^&c4moab!w=&16ou7 # <- Example key, SECRET_KEY=yoursecretkey

5) Inside of your settings.py file, add the following settings:

import osimport dotenv # <- New# Add .env variables anywhere before SECRET_KEYdotenv_file = os.path.join(BASE_DIR, ".env")if os.path.isfile(dotenv_file):    dotenv.load_dotenv(dotenv_file)# UPDATE secret keySECRET_KEY = os.environ['SECRET_KEY'] # Instead of your actual secret key

And now your secret key is successfully stored locally.

Update: I found out you can also use the config method from the package python-decouple that seems to be a bit easier:

from decouple import configSECRET_KEY = config('SECRET_KEY')

Now you don't need to import os or use dotenv because it takes care of those parts for you AND will still use the .env file. I started using this in all of my projects.

6) Add the SECRET_KEY environment variable on your host (such as Heroku).

I work mostly with Heroku sites, so if you're wanting to use Heroku for a Django project, this part is for you.

This assumes that you already have a Heroku project setup and have Heroku CLI downloaded on your computer.

You have 2 options:

1. From Command Line / Terminal, you can enter the following command in your project's directory:

heroku config:set SECRET_KEY=yoursecretkey # Again, no quotes.

2. You can go to your Heroku dashboard, click on your app, go to your apps settings, and see the "Config Vars" section and click "Reveal Vars" or "Add Vars" and add your SECRET_KEY there.

Then, when you push your project to Heroku through git, it should be working properly without any issue.

and that's it! 🙂

This answer was targeted towards total beginners / intermediates to hopefully cut through any confusion (because it was definitely confusing for me).

Hope this helps!

Happy coding.

See the Django deployment docs for a discussion on this.

There's quite a few options for production. The way I do it is by setting my sensitive data variables as environmental variables on the production environments. Then I retrieve the variables in the settings.py via os.environ like so:

import osSECRET_KEY = os.environ['SECRET_KEY']

Another possible option is to copy in the secret.py file via your deploy script.

I'm sure there are also other specific options for different web servers.

You should store your settings in a modular way. By that I mean to spread your settings across multiple files.

For example, you can have base_settings.py to store all your base settings; dev_settings.py for your development server settings; and finally prod_base_settings.py for all production settings. All non-base settings files will import all the base settings and then only change whatever is necessary:

# base_settings.py...# dev_settings.pyfrom base_settings import *DEBUG = TRUE...# prod_base_settings.pyfrom base_settings import *DEBUG = FALSE...

This approach allows you to have different settings from different setups. You can also commit all these files except then on the production server you can create the actual production settings file prod_settings.py where you will specify all the sensitive settings. This file should not be committed anywhere and its content kept secure:

# prod_settings.pyfrom prod_base_settings import *SECRET_KEY = 'foo'

As for the file names you can use whatever filenames you feel are appropriate. Personally I actually create a Python package for the settings and then keep the various settings inside the package:

project/  project/    settings/      __init__.py      base.py      dev.py      ...  app1/    models.py    ...  app2/    models.py    ...