Hidding sensitive information from django settings module

Most beginners with django framework make the mistake of revealing sensitive information in their settings module especially when deploying to a version control (most popularly, GitHub.) this however creates serious security issues when the the site eventually goes live! The most common victim of this is the SECRET_KEY and others including database password and API keys which when allowed to the eyes of the public defeats most of django’s security measures. If you’ve already made this mistake, it is strongly advised you change your key before deploying your site to production. Here are the various methods to keep your SECRET_KEY and other sensitive information out of the public




1. Copy all sensitive data to a separate module and import to your main settings file:
This is the easiest and most straight forward method. it involves copying the sensitive parts of your settings file to a different then include them to your main settings file using the import *. then add your secret settings to .gitignore so it doesn't find its way to your public repository.

2. Using environment variables
Every operating system supported by Django (and Python) provides the easy capability to create environment variables. To do this on windows, open your settings file and locate the SECRET_KEY line, then copy the value of the secret key(including the quotes), then open your command prompt and type
setx SECRET_KEY 'your secret key'
then replace your secret key with
SECRET_KEY = os.environ['SECRET_KEY']
Now test the installation to make sure all is working well. at the terminal, type python manage.py runserver. If the server starts with no errors then the changes was successful.