Python/Django - Avoid saving passwords in source code
I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py file.
Storing my password in plain text would open me up to a number of security problems, particularly because this is an open source project and my source code would be version controlled (through git, on Github, for the entire world to see!)
The question is, what would be the best practice for securely writing a settings.py file in a a Django/Python development environment?
Answer
Although I wasn't able to come across anything Python-specific on stackoverflow, I did find a website that was helpful, and thought I'd share the solution with the rest of the community.
The solution: environment variables.
Note: Although environment variables are similar in both Linux/Unix/OS X and in the Windows worlds, I haven't tested this code on a Windows machine. Please let me know if it works.
In your bash/sh shell, type:
export MYAPP_DB_USER='myapp'
export MYAPP_DB_PASSWORD='testing123'
And in your Django settings.py file:
DATABASE_USER = os.environ.get("MYAPP_DB_USER", '')
DATABASE_PASSWORD = os.environ.get("MYAPP_DB_PASSWORD", '')
In this case, the username and password would default to an empty string if the environment variable didn't exist.