5👍
Why is the key insecure, when auto-created? Seems to be much safer than a key thought of by a human.
It is generated using a well known process from a source of entropy whose quality and security cannot be guaranteed (by Django). This is the ostensible reason for this; see https://docs.djangoproject.com/en/3.2/ref/checks/#security
security.W009: YourSECRET_KEYhas less than 50 characters, less than 5 unique characters, or it’s prefixed with'django-insecure-'indicating that it was generated automatically by Django. Please generate a long and randomSECRET_KEY, otherwise many of Django’s security-critical features will be vulnerable to attack.
More importantly, any secret key that is embedded in a settings file is only as secure as your file system’s access control mechanisms. Django settings files are an obvious place to look for the secret key.
It is more secure to hold your keys in a cryptographically secured keystore or an HSM, and then pass Django its secret key via an environment variable; see Where to store secret keys DJANGO.
And, no matter how you manage them, you should generate your secret keys yourself using hardware that you control and a mechanism + entropy source that you can 100% trust. (If you are lost for options, consider rolling some dice as a source of random digits.)
0👍
This is a visible warning that any key that is hardcoded is insecure from the very first moment. The idea is to use a different keys in development and production.
You can easily generate a new key using an online generator like this one
On your server add your SECRET_KEY to the environment variables and these lines to your settings.py
import os
SECRET_KEY = os.environ['SECRET_KEY']
I personally don’t prefer saving keys in files but that is possible as well.
Please note that
0👍
in django 3.2 it’s better to create your own secret key for production(make sure it’s safe enough) and move it to your environment variables and it’s also better to use this insecure secret key for development purposes only. A safe SECRET_KEY is like this:
- The secret key must be a large random value and it must be kept secret.
- Make sure that the key used in production isn’t used anywhere else and avoid committing it to source control. This reduces the number of vectors from which an attacker may acquire the key.
- Instead of hardcoding the secret key in your settings module, consider loading it from an environment variable:
Here is an example:
import os
SECRET_KEY = os.getenv("SECRET_KEY", "django-insecure <actual secret key>")
- How do I delete a cached template fragment in Django?
- Why am I getting the "MySQL server has gone away" exception in Django?
- Django can't connect to Postgres in Docker setup
- DRF many-to-one reverse lookup
- 504 Gateway Time-out uwsgi + nginx django application