Hiding Django's Secret Key

Posted on by Miles Steele

Django uses a secret key for many of its security features. This secret key should not be checked into version control. There are many ways to factor out the secret key; here’s the one I use.

The secret key entry is stored by default in settings.py:

# Make this unique, and don't share it with anybody.
SECRET_KEY = 'y2k94mib_ve%c9hth=9grurdontuse1(t&his;jy-xkcd'

From the Django Docs:

Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.

In your settings.py, replace the SECRET_KEY entry with the following block of code. It will look for an existing secret key in and if it does not find one, then it will generate and save one into secret_key.py when the settings file is used.

# SECURITY WARNING: keep the secret key used in production secret!
import sys 

def find_or_create_secret_key():
    Look for secret_key.py and return the SECRET_KEY entry in it if the file exists.
    Otherwise, generate a new secret key, save it in secret_key.py, and return the key.
    SECRET_KEY_DIR = os.path.dirname(__file__)
    SECRET_KEY_FILEPATH = os.path.join(SECRET_KEY_DIR, 'secret_key.py') 

    if os.path.isfile(SECRET_KEY_FILEPATH):
        from secret_key import SECRET_KEY
        return SECRET_KEY
        from django.utils.crypto import get_random_string
        chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
        new_key = get_random_string(50, chars)
        with open(SECRET_KEY_FILEPATH, 'w') as f:
            f.write("# Django secret key\n# Do NOT check this into version control.\n\nSECRET_KEY = '%s'\n" % new_key)
        from secret_key import SECRET_KEY
        return SECRET_KEY

# Make this unique, and don't share it with anybody.
SECRET_KEY = find_or_create_secret_key()

That’s it. Be sure to add secret_key.py to your .gitignore!