Opened 4 years ago
Closed 4 years ago
#31757 closed New feature (fixed)
Adjust default SECRET_KEY to use `dj::insecure` prefix and add matching deployment system check.
| Reported by: | Carlton Gibson | Owned by: | kosc |
|---|---|---|---|
| Component: | Core (System checks) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | René Fleschenberg, Shai Berger | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Recent thread on the mailing list about making the default settings more 12 factor friendly. (Related to similar discussions in say #20081.)
Conclusion there was that environment variables are only one way to go. (...)
In the discussion it came up that we could prefix the generated SECRET_KEY with say, dj::insecure and then add a deployment system check to ensure that wasn't used in production. (Paraphrasing various points: might not be 100% robust but would capture most cases.)
So:
- Prefix secret key in project template.
- Add system check to ensure secret key does not have prefix.
Change History (10)
comment:1 by , 4 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Version: | 3.0 → master |
follow-up: 4 comment:2 by , 4 years ago
comment:3 by , 4 years ago
| Cc: | added |
|---|
follow-up: 7 comment:4 by , 4 years ago
| Cc: | added |
|---|
Replying to René Fleschenberg:
Shai Berger suggested an alternative approach: Marking the string as insecure by making it an instance of a custom str subclass (https://groups.google.com/d/msg/django-developers/CIPgeTetYpk/3a0lkAu-BgAJ). I am not sure which of the two approaches we prefer.
Prefix is fine, IMO.
comment:6 by , 4 years ago
| Patch needs improvement: | set |
|---|
comment:7 by , 4 years ago
Replying to felixxm:
Replying to René Fleschenberg:
Shai Berger suggested an alternative approach: Marking the string as insecure by making it an instance of a custom str subclass
Prefix is fine, IMO.
Missed this earlier... prefix is fine IMO too.
comment:8 by , 4 years ago
| Patch needs improvement: | unset |
|---|
comment:9 by , 4 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Shai Berger suggested an alternative approach: Marking the string as insecure by making it an instance of a custom str subclass (https://groups.google.com/d/msg/django-developers/CIPgeTetYpk/3a0lkAu-BgAJ). I am not sure which of the two approaches we prefer.