Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security hardening on deployment (e.g. SECRET_KEY ends up on GitHub) #1192

Closed
sbeaumont opened this issue Jan 19, 2018 · 5 comments
Closed

Comments

@sbeaumont
Copy link

Issue description

I will soon be coaching the tutorial, and went through it myself to get to know it. I noticed that with the current steps there are some security issues like the SECRET_KEY ending up on GitHub.

Given the current importance of security it would be nice to have a section on these hardening steps. This can include:

  • using SECRET_KEY = os.environ.get('SECRET_KEY') and set an environment variable on PythonAnywhere
  • pointing at a production version of settings.py (settings-production.py?) which has the "hardened settings"
  • explaining the importance of preventing passwords in code and on GitHub
  • using python manage.py check --deploy to get a report on security issues
  • setting DEBUG=FALSE on deployment in some fashion without having to do this locally
  • turning on HTTPS by default (as asked for by check --deploy)
@ekohl
Copy link
Collaborator

ekohl commented Jan 19, 2018

IMHO it's already hard enough so we shouldn't requiring to do this manually. #1190 would be a good starting place.

@sbeaumont
Copy link
Author

Agree, and #1190 is indeed a better option. But if security would be a topic at some point these steps aren't that hard.

@sbeaumont
Copy link
Author

I see this issue is a generalized copy of #802.

@hjwp
Copy link
Contributor

hjwp commented Feb 12, 2018

closing in favour of DjangoGirls/tutorial-extensions#101

@das-g
Copy link
Member

das-g commented Sep 6, 2023

Related: #1687

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants