Move Django secret key to secrets.py

apiserver/apiserver/secrets.py.example

@@ -1,6 +1,18 @@
 # Spaceport secrets file, don't commit to version control!
 
-# Set this to random characters so the PayPal IPN POST route is unguessable
+# /ipn/ route obfuscation
+# Set this to random characters
 # For example, use the output of this:
-# head /dev/urandom | md5sum
+# head /dev/urandom | base32 | head -c 16
 IPN_RANDOM = ''
+
+# Django secret key
+# Set this to random characters
+# For example, use the output of this:
+# head /dev/urandom | base64 | head -c 50
+DJANGO_SECRET_KEY = ''
+# Warning
+# Keep this value secret.
+# Running Django with a known SECRET_KEY defeats many of Django’s security
+# protections, and can lead to privilege escalation and remote code execution
+# vulnerabilities.

apiserver/apiserver/settings.py

@@ -13,6 +13,8 @@ https://docs.djangoproject.com/en/3.0/ref/settings/
 import os
 import logging
 
+from . import secrets
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -21,7 +23,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'tm2h!9@=+cqy#n^&2en9(dhyfc@n--9*$s*#b9&%rdai)jrj&f'
+SECRET_KEY = secrets.DJANGO_SECRET_KEY
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG_ENV = os.environ.get('DEBUG', False)