Protecting Django Project From Getting Attacked

In this tutorial we will learn how to your protect django settings.py file of your project from being subjected to any attack. You can also find the code on GitHub.

So, let’s start.

Setting up Django Project

We will first create a Django Project. You can refer our previous blogs in order to create a django project.

In my case I have created a project name basic. Moving forward as we see our settings.py file we find that there are some line of code like SECRET_KEY ALLOWED_HOSTS or any gmail id or password that we use for SMTP and we don’t want anyone to see these credentials due to which our security may be compromised when the project is pushed on GitHub or deployed on any server. In order to protect them, we use environ to hide details from settings.py .

Setting up .env file in Django

Firstly we will install django environ

pip install django-environ==0.4.5

After installing environ we will create a .env file in the project folder (where settings.py is present).

In .env file we can have multiple variables, I have taken a few in my case.

PROJECT_SECRET=u6o#j(oc1ln24!5)sbl7*jgl^-#6+l9c^z88)[email protected])93$)k_
DB_USER=(In case you have any DB on serverside)
DB_PASS=(DB Password)
ENV=production (You can change this to deployment when your project is hosted)
HOST=127.0.0.1 (You can add multiple host separated by comma(,) )
EID=(Any email ID if you wanna add)
EPASS=(Password)

After creating the .env file we will add it in our settings.py

import os
import environ

env = environ.Env()
environ.Env.read_env()

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))


SECRET_KEY = env("PROJECT_SECRET") ##Project Secret is Hidden Now

if env('ENV')=="production":
    DEBUG = True
else:
    DEBUG = False

ALLOWED_HOSTS = [env("HOST")] ##If your settings.py is compromised one cannot see Allowed Hosts

## In Case you have any SMTP comfiguration

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_USE_TLS = True
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_PORT = 587
EMAIL_HOST_USER = env("EID")
EMAIL_HOST_PASSWORD = env("EPASS")

Now, just add .env file in gitignore in order to protect env file to be shown on github, I have provided sample.env in github for demo.

Yes, that was all about to create an extra protection in you Django app.

GitHub – Run Example Locally

GitHub – https://github.com/priyanshuarora1/Protecting-Django-Project-From-Getting-Attacked

Clone the Repository

git clone https://github.com/priyanshuarora1/Protecting-Django-Project-From-Getting-Attacked.git

Create Virtual Environment – VirtualEnv

mkvirtualenv env

Run requirements file to install libraries using pip

pip install -r requirements.txt

Run the server

python3 manage.py runserver

And open http://localhost:8000/ in your browser.