In this tutorial we will learn how to your protect django settings.py
file of your project from being subjected to any attack. You can also find the code on GitHub.

So, let’s start.
Setting up Django Project
We will first create a Django Project. You can refer our previous blogs in order to create a django project.
In my case I have created a project name basic. Moving forward as we see our settings.py file we find that there are some line of code like SECRET_KEY
ALLOWED_HOSTS
or any gmail id or password that we use for SMTP and we don’t want anyone to see these credentials due to which our security may be compromised when the project is pushed on GitHub or deployed on any server. In order to protect them, we use environ to hide details from settings.py
.
Setting up .env file in Django
Firstly we will install django environ
pip install django-environ==0.4.5
After installing environ we will create a .env file in the project folder (where settings.py is present).
In .env file we can have multiple variables, I have taken a few in my case.
PROJECT_SECRET=u6o#j(oc1ln24!5)sbl7*jgl^-#6+l9c^z88)6+e@a)93$)k_ DB_USER=(In case you have any DB on serverside) DB_PASS=(DB Password) ENV=production (You can change this to deployment when your project is hosted) HOST=127.0.0.1 (You can add multiple host separated by comma(,) ) EID=(Any email ID if you wanna add) EPASS=(Password)
After creating the .env
file we will add it in our settings.py
import os import environ env = environ.Env() environ.Env.read_env() BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) SECRET_KEY = env("PROJECT_SECRET") ##Project Secret is Hidden Now if env('ENV')=="production": DEBUG = True else: DEBUG = False ALLOWED_HOSTS = [env("HOST")] ##If your settings.py is compromised one cannot see Allowed Hosts ## In Case you have any SMTP comfiguration EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' EMAIL_USE_TLS = True EMAIL_HOST = 'smtp.gmail.com' EMAIL_PORT = 587 EMAIL_HOST_USER = env("EID") EMAIL_HOST_PASSWORD = env("EPASS")
Now, just add .env file in gitignore in order to protect env file to be shown on github, I have provided sample.env
in github for demo.
Yes, that was all about to create an extra protection in you Django app.
GitHub – Run Example Locally
GitHub – https://github.com/priyanshuarora1/Protecting-Django-Project-From-Getting-Attacked
Clone the Repository
git clone https://github.com/priyanshuarora1/Protecting-Django-Project-From-Getting-Attacked.git
Create Virtual Environment – VirtualEnv
mkvirtualenv env
Run requirements file to install libraries using pip
pip install -r requirements.txt
Run the server
python3 manage.py runserver
And open http://localhost:8000/ in your browser.