DEV Community

Cover image for Separating Sensitive Data from Code (using python-decouple)
John Johnson Okah
John Johnson Okah

Posted on

Separating Sensitive Data from Code (using python-decouple)

#python #django #security #bestpractice

Whenever I learn any code related stuff, I make sure I follow it all through till the end and then push the code to My Repo. As I git push and enjoy the feeling of completing a task, sometimes GitHub Bot tries to cut short the party by emailing me about a security issue; that I have exposed some sensitive data.

Those times, I wished I could reply GitHub Bot:

"Thanks for letting me know.
This is just a test project, so .."

Alt Text
And my completion party continues ... πŸŽ‰

Nevertheless, deep down I knew I needed to make my project production-ready. Then I found python-decouple.

Decouple helps you to organize your settings so that you can change parameters without having to redeploy your app.

Let me show you how I used decouple to seperate sensitive data from my code:

settings.py (before decoupling)

# SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = ",q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n" DEBUG = True DATABASE_URL = "postgres://johndoe:mypassword@123.456.789.000:5000/blog_db" DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))} EMAIL_HOST = "stmp.gmail.com" EMAIL_HOST_USER = "johndoe@gmail.com" EMAIL_HOST_PASSWORD = "johndoepassword123" EMAIL_PORT = 543 EMAIL_USE_TLS = True
Enter fullscreen mode Exit fullscreen mode

πŸ”© Okay let's decouple some sh*t! πŸ”©

πŸ“Œ First install python-decouple on your virtual environment

$ pip install python-decouple
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ Add this at the top of settings.py

from decouple import config
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ And then change the value of sensitive data to point to your environment variables
settings.py

SECRET_KEY = config("SECRET_KEY") DEBUG = config("DEBUG", default=False, cast=bool) DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))} EMAIL_HOST = config("EMAIL_HOST", default="localhost") EMAIL_HOST_USER = config("EMAIL_HOST_USER", default="") EMAIL_HOST_PASSWORD = config("EMAIL_HOST_PASSWORD", default="") EMAIL_PORT = config("EMAIL_PORT", default=25, cast=int) EMAIL_USE_TLS = config("EMAIL_USE_TLS", default=False, cast=bool)
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ Add .env file at the root of your project

$ touch .env
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ Make sure .env is added to your .gitignore file.
.gitignore

# ... other ignored files .env
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ Now you can define those environment variables in the .env file
.env

SECRET_KEY=,q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n DEBUG=True DATABASE_URL=postgres://johndoe:mypassword@123.456.789.000:5000/blog_db EMAIL_HOST=stmp.gmail.com EMAIL_HOST_USER=johndoe@gmail.com EMAIL_HOST_PASSWORD=johndoepassword123 EMAIL_PORT=543 EMAIL_USE_TLS=True
Enter fullscreen mode Exit fullscreen mode

And that was it. πŸš€πŸš€

We can now push our code to github without being scared of exposing sensitive data.

Note: when it's time for production, nothing in your code changes. Just define your sensitive data in the production environment.

Top comments (0)