There will be a lot of sensitive information in our Django project resided in the settings.py, or local variables containing sensitive information or the POST request made using forms. So while deploying a Django project we always have to make sure they are protected especially the repositories that are publicly available. When a project is deployed without handling all possible test cases and with DEBUG=True then it makes the job of finding loopholes a piece of cake for hackers. So the user’s data may get exposed by neglecting the importance of protecting sensitive information in the settings.py file. There are many cases where there may occur a problem by exposing sensitive information mainly in the public repositories.
Handling settings.py file
To protect sensitive information from the settings.py file we will use the Python-decouple library. This library helps to separate the settings parameter from the source code. Parameters related to the project go to the source code and the parameters related to the instance of the project go to the environment file.
Installation
To install this module type the below command in the terminal.
pip install python-decouple
Stepwise Implementation
- Create a .env file to store the sensitive data near the manage.py file as shown below.
After creating the .env file it looks as:
- We will now copy the sensitive information such as secret key, debug, database user, database name, database password, database host values from the settings.py file and paste it into the .env file created as:
- Now go to the settings.py file and add this line to import decouple installed previously.
from decouple import config
|
- Replace the secret key in the settings.py file with config and inside config enter the variable with which you saved the secret key in the .env file as:
SECRET_KEY = config('SECRET_KEY')
|
- Similarly replace debug value as :
DEBUG = config('DEBUG')
|
- Similarly replace DB_USER,DB_NAME,DB_PASSWORD,DB_HOST.
- Now save all the files.
- Then create a .gitignore file beside the .env file as shown below.
- Then enter .env inside the .gitignore file, save and close the file.
- Now you can add these files to git and push them safely.
Handling Sensitive Variables
Sensitive variables means the variables containing information like password, username, etc. To protect this information from getting showing in the error report we can use sensitive_variables decorator from django.views.decorators.debug module.
Example:
from django.views.decorators.debug import sensitive_variables
@sensitive_variables('password', 'acc', 'name')
def fun():
password = user.password
acc = user.account_no
name = user.name
|
We can also hide all the local variables to avoid them showing in error report by not providing any argument to the sensitive_variables decorator.
Example:
from django.views.decorators.debug import sensitive_variables
@sensitive_variables()
def fun():
password = user.password
acc = user.account_no
name = user.name
|
Handling POST Parameters
Let’s suppose one of the POST requests contains sensitive information like password, account number, credit card number, etc. We will also want to avoid this information showing in the error report. Django provides sensitive_post_parameters decorator to handle this from the django.views.decorators.debug module.
Example:
from django.views.decorators.debug import sensitive_post_parameters
@sensitive_post_parameters('name', 'password', 'acc')
def fun(request):
name = request.POST['name']
password = request.POST['password']
acc = request.POST['account_no']
|
We can also hide all the post parameters by not providing any argument to the sensitive_post_parameters decorator.
Example:
from django.views.decorators.debug import sensitive_post_parameters
@sensitive_post_parameters()
def fun(request):
name = request.POST['name']
password = request.POST['password']
acc = request.POST['account_no']
|