Hiding Django’s Secret Key

Django uses a secret key for many of its security features. This secret key should never be checked into version control.

The secret key entry is stored by default in settings.py: Make this unique, and don’t share it with anybody. It will look something like this:

SECRET_KEY = 'y2k94mib_ve%c9hth=9grurdontuse1(t&his;jy-xkcd'

From the Django Docs:

Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.

Save you SECRET_KEY to secret_key.py in the same folder as your settings, then replace the SECRET_KEY entry with the following block of code. Be sure to add secret_key.py to your .gitignore!

# SECURITY WARNING: keep the secret key used in production secret!
import sys

def find_or_create_secret_key():
"""
Look for secret_key.py and return the SECRET_KEY entry in it if the file exists.
Otherwise, generate a new secret key, save it in secret_key.py, and return the key.
"""
SECRET_KEY_DIR = os.path.dirname(**file**)
SECRET_KEY_FILEPATH = os.path.join(SECRET_KEY_DIR, 'secret_key.py')
sys.path.insert(1,SECRET_KEY_DIR)

    if os.path.isfile(SECRET_KEY_FILEPATH):
        from secret_key import SECRET_KEY
        return SECRET_KEY
    else:
        from django.utils.crypto import get_random_string
        chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
        new_key = get_random_string(50, chars)
        with open(SECRET_KEY_FILEPATH, 'w') as f:
            f.write("# Django secret key\n# Do NOT check this into version control.\n\nSECRET_KEY = '%s'\n" % new_key)
        from secret_key import SECRET_KEY
        return SECRET_KEY

# Make this unique, and don't share it with anybody.

SECRET_KEY = find_or_create_secret_key()