Secure Sensitive Django Variables using Python Decouple

May 1, 2020, 11:08 a.m.

Secure Sensitive Django Variables using Python Decouple

Last Modified: Sept. 15, 2020, 5:46 p.m.

What is decouple in Python?

Decouple is the process of separating or dissociating something from something else.

Python decouple is a Python package designed to separate settings from the rest of your project's code, and in the process secure your secret keys and other variables. 

Sensitive parameters related to the project's instances are stored in an environment file, .env, while parameters related to the project are directly placed in the source code. 

 


 

Pip install python-decouple

macOS Terminal

(env)User-Macbook:mysite user$ pip install python-decouple

Windows Command Prompt

(env) C:\Users\Owner\desktop\code\env\mysite>pip install python-decouple

Open your mac Terminal or Windows Command Prompt. Install the Python package python-decouple within your Django project's root directory.

 


 

How to use python-decouple in Django

To use the python decouple package in Django, first create an environment file in your root directory. The root directory is also known as the project folder in Django. 

 

Create an environment file

env > mysite > (New File) .env

#env file

SECRET_KEY =

DEBUG =

Create a new file named .env in the root directory of your Django project. Note the file name has a period in the name and is created within the same directory as your database, db.sqlite3 and manage.py.

Your project's secret key, debug settings, and any other sensitive information, such as AWS access keys, will be stored here.

For now, we will just add the Django secret key and debug setting to the file.

Leave these variables blank for now. You will need to copy and paste each of these Django variables from your settings.py

 

 

Copy the Django variables from the settings

env > mysite > mysite > settings.py

"""
Django settings for mysite project.

Generated by 'django-admin startproject' using Django 3.0.8.

For more information on this file, see
https://docs.djangoproject.com/en/3.0/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.0/ref/settings/
"""

import os

...

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'sdjioerb43buobnodhioh4i34hgip'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

...

Open settings.py and find all of the configurations settings you would like to secure.

 

Paste the Django variables in .env

env > mysite > .env

#env file

SECRET_KEY =sdjioerb43buobnodhioh4i34hgip

DEBUG =True

Copy and paste the information into the .env file without quotation marks. Save the file when you have added your configurations. 

 


 

Update the Django decouple configurations in the settings

The last thing that needs to be updated is the Django settings.py file.

Now that the sensitive Django variables are placed in the .env file, they can be decoupled from the settings and called via decouple config.

 

Import config from decouple

env > mysite > mysite > settings.py

"""
Django settings for mysite project.

Generated by 'django-admin startproject' using Django 3.0.8.

For more information on this file, see
https://docs.djangoproject.com/en/3.0/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.0/ref/settings/
"""

import os
from decouple import config

...

Go back to settings.py and import config from decouple at the top of the page.

 

Use config to call the Django variables in .env

env > mysite > mysite > settings.py

"""
Django settings for mysite project.

Generated by 'django-admin startproject' using Django 3.0.8.

For more information on this file, see
https://docs.djangoproject.com/en/3.0/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.0/ref/settings/
"""

import os
from decouple import config

...

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = config('SECRET_KEY')

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = config('DEBUG', cast=bool)

...

Then update the configurations that are now saved in the .env file with the format config('variable'). Using this format, the Django variables are decoupled from the source code but still accessible via the .env file. 

Make sure both files are saved.

When you run the server again, the site should appear as usual but your sensitive configurations settings will be hidden.

 


 

Cannot import config from decouple error

If you are getting the error cannot import config from decouple check:

  1. You installed python-decouple in your root directory with the virtual environment activated.
  2. You created a file called .env in the root directory of your project.
  3. You saved the files changed. 

0
Subscribe now

Subscribe to stay current on our latest articles and promos





Post a Comment
Join the community

0 Comments