Open In App

Protecting sensitive information while deploying Django project

Improve
Improve
Like Article
Like
Save
Share
Report

There will be a lot of sensitive information in our Django project resided in the settings.py, or local variables containing sensitive information or the POST request made using forms. So while deploying a Django project we always have to make sure they are protected especially the repositories that are publicly available. When a project is deployed without handling all possible test cases and with DEBUG=True then it makes the job of finding loopholes a piece of cake for hackers. So the user’s data may get exposed by neglecting the importance of protecting sensitive information in the settings.py file. There are many cases where there may occur a problem by exposing sensitive information mainly in the public repositories.

Handling settings.py file

To protect sensitive information from the settings.py file we will use the Python-decouple library. This library helps to separate the settings parameter from the source code. Parameters related to the project go to the source code and the parameters related to the instance of the project go to the environment file.

Installation

To install this module type the below command in the terminal.

pip install python-decouple

Stepwise Implementation

  • Create a .env file to store the sensitive data near the manage.py file as shown below.

After creating the .env file it looks as:

 

  • We will now copy the sensitive information such as secret key, debug, database user, database name, database password, database host values from the settings.py file and paste it into the .env file created as:

  • Now go to the settings.py file and add this line to import decouple installed previously.

Python3




from decouple import config


  • Replace the secret key in the settings.py file with config and inside config enter the variable with which you saved the secret key in the .env file as:

Python3




SECRET_KEY = config('SECRET_KEY')


  • Similarly replace debug value as :

Python3




DEBUG = config('DEBUG')


  • Similarly replace DB_USER,DB_NAME,DB_PASSWORD,DB_HOST.
  • Now save all the files.
  • Then create a .gitignore file beside the .env file as shown below.
     

  • Then enter .env inside the .gitignore file, save and close the file.
  • Now you can add these files to git and push them safely.

Handling Sensitive Variables

Sensitive variables means the variables containing information like password, username, etc. To protect this information from getting showing in the error report we can use sensitive_variables decorator from django.views.decorators.debug module.

Example:

Python3




from django.views.decorators.debug import sensitive_variables
 
@sensitive_variables('password', 'acc', 'name')
def fun():
    password = user.password
    acc = user.account_no
    name = user.name


We can also hide all the local variables to avoid  them showing in error report by not providing any argument to the sensitive_variables decorator.

Example: 

Python3




from django.views.decorators.debug import sensitive_variables
 
@sensitive_variables()
def fun():
    password = user.password
    acc = user.account_no
    name = user.name


Handling POST Parameters

Let’s suppose one of the POST requests contains sensitive information like password, account number, credit card number, etc. We will also want to avoid this information showing in the error report. Django provides sensitive_post_parameters decorator to handle this from the django.views.decorators.debug module.

Example: 

Python3




from django.views.decorators.debug import sensitive_post_parameters
 
@sensitive_post_parameters('name', 'password', 'acc')
def fun(request):
    name = request.POST['name']
    password = request.POST['password']
    acc = request.POST['account_no']


We can also hide all the post parameters by not providing any argument to the sensitive_post_parameters decorator.

Example:

Python3




from django.views.decorators.debug import sensitive_post_parameters
 
@sensitive_post_parameters()
def fun(request):
    name = request.POST['name']
    password = request.POST['password']
    acc = request.POST['account_no']




Last Updated : 13 Jan, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads