Wednesday, October 26, 2022

Re: secret api keys

On 27/10/2022 3:32 pm, Mike Dewhirst wrote:
Not a dumb question but frequently asked.

There are two approaches - one is to export your secrets as environment vars and read them from there. The other is to keep them in disk files and read them as required. 

In both cases the idea is to keep secrets out of your code and thus out of your repo.

I prefer the latter approach.

Further to that, the secrets are consumed by your code on the server which constructs html from a template rendered with values inserted by your code and sends that all to the browser which made the request.

So if you don't include your secrets in your constructed html they won't appear in the browser and will remain secret.

My preferred approach (above) is only secure if the files containing the secrets are stored on the server in a location accessible to the web server (Apache perhaps in your case) but access is denied to a browser.

In my case, I use a "creds" directory which satisfies that scenario.


Cheers

Mike

-------- Original message --------
From: john fabiani <johnf@jfcomputer.com>
Date: 27/10/22 02:09 (GMT+10:00)
Subject: secret api keys

Hi,

Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).

For example I have a secret key to access Authorize Net.  Will it be
protected from someone opening the website and using chrome to see the
source?

Johnf

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au.


--   Signed email is an absolute defence against phishing. This email has  been signed with my private key. If you import my public key you can  automatically decrypt my signature and be sure it came from me. Just  ask and I'll send it to you. Your email software can handle signing.  

No comments:

Post a Comment