Separating Sensitive Data from Code (using python-decouple)

Separating Sensitive Data from Code (using python-decouple)

ยท

2 min read

Table of contents

No heading

No headings in the article.

Whenever I learn any code related stuff, I make sure I follow it all through till the end and then push the code to My Repo make. As I git push and enjoy the feeling of completing a task, sometimes GitHub Bot tries to cut short the party by emailing me about a security issue; that I have exposed some sensitive data.

Those times, I wished I could reply GitHub Bot:

"Thanks for letting me know. This is just a test project, so .."

Alt Text And my completion party continues ... ๐ŸŽ‰

Nevertheless, deep down I knew I needed to make my project production-ready. Then I found python-decouple.

Decouple helps you to organize your settings so that you can change parameters without having to redeploy your app.

Let me show you how I used decouple to seperate sensitive data from my code:

settings.py (before decoupling)

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = ",q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n"
DEBUG = True

DATABASE_URL = "postgres://johndoe:mypassword@123.456.789.000:5000/blog_db"
DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))}

EMAIL_HOST = "stmp.gmail.com"
EMAIL_HOST_USER = "johndoe@gmail.com"
EMAIL_HOST_PASSWORD = "johndoepassword123"
EMAIL_PORT = 543
EMAIL_USE_TLS = True

๐Ÿ”ฉ Okay let's decouple some sh*t! ๐Ÿ”ฉ

๐Ÿ“Œ First install python-decouple on your virtual environment

$ pip install python-decouple

๐Ÿ“Œ Add this at the top of settings.py

from decouple import config

๐Ÿ“Œ And then change the value of sensitive data to point to your environment variables settings.py

SECRET_KEY = config("SECRET_KEY")
DEBUG = config("DEBUG", default=False, cast=bool)

DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))}

EMAIL_HOST = config("EMAIL_HOST", default="localhost")
EMAIL_HOST_USER = config("EMAIL_HOST_USER", default="")
EMAIL_HOST_PASSWORD = config("EMAIL_HOST_PASSWORD", default="")
EMAIL_PORT = config("EMAIL_PORT", default=25, cast=int)
EMAIL_USE_TLS = config("EMAIL_USE_TLS", default=False, cast=bool)

๐Ÿ“Œ Add .env file at the root of your project

$ touch .env

๐Ÿ“Œ Make sure .env is added to your .gitignore file. .gitignore

# ... other ignored files
.env

๐Ÿ“Œ Now you can define those environment variables in the .env file .env

SECRET_KEY=,q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n
DEBUG=True

DATABASE_URL=postgres://johndoe:mypassword@123.456.789.000:5000/blog_db

EMAIL_HOST=stmp.gmail.com
EMAIL_HOST_USER=johndoe@gmail.com
EMAIL_HOST_PASSWORD=johndoepassword123
EMAIL_PORT=543
EMAIL_USE_TLS=True

And that was it. ๐Ÿš€๐Ÿš€

We can now push our code to github without being scared of exposing sensitive data.

Note: when it's time for production, nothing in your code changes. Just define your sensitive data in the production environment.