At present my application related variables like external server IP / default pattern etc.. These variables are specific to my application. It includes my external server username and password.
Now how can I have a single common place so that I can externalise this from my application.
The options which I thought are below:
Have one conf.ini file and use configparser and read this during the start of the django app
But I am not sure from where I should have method to read this so that it will be done in the startup.
Other option is to save this in a py file itself and import this file in my modules
Please suggests me the good and standard approach for above issue.
Save the important secret details in an ini file and place it in etc/project_name/my_settings.ini. Read these settings from settings.py. This way it will be secure. Can be read directly in the settings file itself
Or better way is to set them in bashrc, read the env vars from it.
Check this: Setting envs
Related
A django settings file includes sensitive information such as the secret_key, password for database access etc which is unsafe to keep hard-coded in the setting file. I have come across various suggestions as to how this information can be stored in a more secure way including putting it into environment variables or separate configuration files. The bottom line seems to be that this protects the keys from version control (in addition to added convenience when using in different environments) but that in a compromised system this information can still be accessed by a hacker.
Is there any extra benefit from a security perspective if sensitive settings are kept in a data vault / password manager and then retrieved at run-time when settings are loaded?
For example, to include in the settings.py file (when using pass):
import subprocess
SECRET_KEY=subprocess.check_output("pass SECRET_KEY", shell=True).strip().decode("utf-8")
This spawns a new shell process and returns output to Django. Is this more secure than setting through environment variables?
I think a data vault/password manager solution is a matter of transferring responsibility but the risk is still here. When deploying Django in production, the server should be treated as importantly as a data vault. Firewall in place, fail to ban, os up to date... must be in place. Then, in my opinion, there is nothing wrong or less secure than having a settings.py file with a config parser reading a config.ini file (declared in your .gitignore!) where all your sensitive information is present.
I am creating a Python script which reads a spreadsheet and issues Rest requests to an external service. A token must be obtained to issue requests to the Rest service, so the script needs a username and password to obtain the oauth2 token.
What's the best or standard way to hide or not have visible information in the Python script?
I recommend using a config file. Let's create a config file and name it config.cfg. The file structure should look more or less like this:
[whatever]
key=qwerertyertywert2345
secret=sadfgwertgrtujdfgh
Then in python you can load it this way:
from configparser import ConfigParser
config = ConfigParser()
config.read('config.cfg')
my_key = config['whatever']['key']
my_secret = config['whatever']['secret']
In general, the most standard way to handle secrets in Python is by putting them in runtime configuration.
You can do that by reading explicitly from external files or using os.getenv to read from environment variables.
Another way is to use a tool like python-decouple, which lets you use the environment (variables), a .env file, and an .ini file in a cascade, so that developers and operations can control the environment in local, dev, and production systems.
I've read that it's best practice for security reason to store things like API keys in the instance/settings.py file in Flask - why is this so and what is the mechanism that makes it so. I haven't been able to find much documentation about this online.
As #davidism suggested, Config files are never meant to be tracked since these are your secret keys and anybody with access to your code will have access to your keys if tracked.
But, there is no hard and fast rule in Flask to keep your settings file in a specific location. You can keep them anywhere and name them anything.
But, when adding the config to the app, the correct file path must be given.
I am building simple app which is using Twitter API. What I have to do to hide my Twitter app keys? For example, if I will put my program to the internet and somebody who look up to the code will know my consumer key, access token etc. And if I not include this information into my program, that it won't be work!
I'm assuming by putting on the internet you mean publishing your code on github or such.
In that case you should always separate code and configuration. Put your API keys in an .ini file, i.e. config.ini, then load that file from python program using configparser
Add configuration file to your .gitignore so it would not get added to the source control.
Assuming you're running on a Unix like system, one way to handle this is environment variables.
In your shell you can do this:
export TWITTER_API_KEY=yoursecretapikey
Note that you don't use quotes of any kind for this.
Then in your script:
import os
twitter_key = os.environ.get('TWITTER_API_KEY')
In my pylons application I want to add some data on setup. ( a user)
To secure passwords in the database i've hashed the passwords with a salt, this salt is stored in the configuration file.
If I want to get the saltkey from configuration I do this (shortened example):
from pylons import config
saltkey = config.get("saltkey")
If this code is placed in for example a model, it returns the saltkey. In the User-model this code is used to create a hash with the salt.
However if I want to create an instance of this model in "websetup.py" the config has a different contents and it cannot retrieve the saltkey (resulting in an error)
def setup_app(command, conf, vars):
load_environment(conf.global_conf, conf.local_conf)
Base.metadata.create_all(bind=Session.bind)
user = User('admin', 'password123', 'test#test.com')
Session.add(user)
Session.commit()
My question is: Why has the config a different content? And how do I fix this problem without an ugly hack?
You can access your config file in this step. The from pylons import config method is best suited to doing so in the context of a WSGI request. However, you're not dealing with a WSGI request, so it's unavailable. Fortunately, you have a very easy way of accessing config during websetup.py's operation. The setup_app() function already consumes the config file, and Paster has already parsed it and turned it into a dictionary for you.
You can access your config file as the conf.local_conf dictionary, and that will make the data you want available.
With all of that said - you should not store the salt in your config.ini file, that's a bad idea and you should avoid wheel-reinvention like that.