Standard practice for .wsgi secret key for flask applications on github repositories [duplicate]

The general way to do this is read from enviroment variable:

import osapplication.secret_key = os.getenv('SECRET_KEY', 'for dev') 

Note it also set a default value for development.

You can set the enviroment variable SECRET_KEY manually:

$ export SECRET_KEY=you_key_here  # use $ set ... in Windows

Or you can save it in a .env file at project root:

SECRET_KEY=you_key_here

Add it into .gitignore:

.env

Then you can use python-dotenv or something similar to import the variable:

# pip install python-dotenvimport osfrom dotenv import load_dotenvload_dotenv()application.secret_key = os.getenv('SECRET_KEY', 'for dev') 

As commented, the secret or any other sensitive information should never been part of a Git repository.

To illustrate that, see ubuntudesign/git-mirror-service, a simple WSGI server to create a mirror of a remote git repository on another remote.
It does include the step:

Optional secret

By default the server is unsecured - anyone who can access it can use it to mirror to repositories that the server has access to.

To prevent this, you can add a secret:

echo "79a36d50-09be-4bf4-b339-cf005241e475" > .secret

Once this file is in place, the service will only allow requests if the secret is provided.

NB: For this to be an effective security measure, the server should be only accessible over HTTPS.

The file is ignored in .gitignore.
And wsgi.py reads it if present:

secret_filename = os.path.join(script_dir, ".secret")if os.path.isfile(secret_filename):    with open(secret_filename) as secret_file:        real_secret = secret_file.read().strip()