The secret key must be a large random value and it must be kept secret.
Make sure that the key used in production isn't used anywhere else and avoid committing it to source control. This reduces the number of vectors from which an attacker may acquire the key. Instead of hardcoding the secret key in your settings module, consider loading it from an environment variable:
import os SECRET_KEY = os.environ['SECRET_KEY']
or from a file:
with open('/etc/secret_key.txt') as f: SECRET_KEY = f.read().strip()
You must never enable debug in production.
When we created a project in Chapter 1, Introduction to Django
and Getting Started, the command django-admin startproject
created a settings.py
file with DEBUG
set to True
. Many internal parts of Django check this setting and change their behavior if DEBUG
mode is on.
For example, if DEBUG
is set to True
, then:
All database queries will be saved in memory as the object
django.db.connection.queries
. As you can...