From 0326950c54f0be44e3613b02946b9f12bed13614 Mon Sep 17 00:00:00 2001 From: Tanner Collin Date: Sun, 2 Feb 2020 04:42:46 +0000 Subject: [PATCH] Move Django secret key to secrets.py --- apiserver/apiserver/secrets.py.example | 16 ++++++++++++++-- apiserver/apiserver/settings.py | 4 +++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/apiserver/apiserver/secrets.py.example b/apiserver/apiserver/secrets.py.example index 701428b..2918934 100644 --- a/apiserver/apiserver/secrets.py.example +++ b/apiserver/apiserver/secrets.py.example @@ -1,6 +1,18 @@ # Spaceport secrets file, don't commit to version control! -# Set this to random characters so the PayPal IPN POST route is unguessable +# /ipn/ route obfuscation +# Set this to random characters # For example, use the output of this: -# head /dev/urandom | md5sum +# head /dev/urandom | base32 | head -c 16 IPN_RANDOM = '' + +# Django secret key +# Set this to random characters +# For example, use the output of this: +# head /dev/urandom | base64 | head -c 50 +DJANGO_SECRET_KEY = '' +# Warning +# Keep this value secret. +# Running Django with a known SECRET_KEY defeats many of Django’s security +# protections, and can lead to privilege escalation and remote code execution +# vulnerabilities. diff --git a/apiserver/apiserver/settings.py b/apiserver/apiserver/settings.py index f6d23b8..7c35df6 100644 --- a/apiserver/apiserver/settings.py +++ b/apiserver/apiserver/settings.py @@ -13,6 +13,8 @@ https://docs.djangoproject.com/en/3.0/ref/settings/ import os import logging +from . import secrets + # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -21,7 +23,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'tm2h!9@=+cqy#n^&2en9(dhyfc@n--9*$s*#b9&%rdai)jrj&f' +SECRET_KEY = secrets.DJANGO_SECRET_KEY # SECURITY WARNING: don't run with debug turned on in production! DEBUG_ENV = os.environ.get('DEBUG', False)