Standard practice for .wsgi secret key for flask applications on github repositories [duplicate]
The general way to do this is read from enviroment variable:
import osapplication.secret_key = os.getenv('SECRET_KEY', 'for dev')
Note it also set a default value for development.
You can set the enviroment variable SECRET_KEY
manually:
$ export SECRET_KEY=you_key_here # use $ set ... in Windows
Or you can save it in a .env
file at project root:
SECRET_KEY=you_key_here
Add it into .gitignore
:
.env
Then you can use python-dotenv or something similar to import the variable:
# pip install python-dotenvimport osfrom dotenv import load_dotenvload_dotenv()application.secret_key = os.getenv('SECRET_KEY', 'for dev')
As commented, the secret or any other sensitive information should never been part of a Git repository.
To illustrate that, see ubuntudesign/git-mirror-service
, a simple WSGI server to create a mirror of a remote git repository on another remote.
It does include the step:
Optional secret
By default the server is unsecured - anyone who can access it can use it to mirror to repositories that the server has access to.
To prevent this, you can add a secret:
echo "79a36d50-09be-4bf4-b339-cf005241e475" > .secret
Once this file is in place, the service will only allow requests if the secret is provided.
NB: For this to be an effective security measure, the server should be only accessible over HTTPS.
The file is ignored in .gitignore
.
And wsgi.py
reads it if present:
secret_filename = os.path.join(script_dir, ".secret")if os.path.isfile(secret_filename): with open(secret_filename) as secret_file: real_secret = secret_file.read().strip()