| ▲ | graemep 13 hours ago | |
> use python-dotenv to pull settings from environment / .env I disagree strongly with this one. All you are doing is moving those settings to a different file. You might as well use a local settings file that reads the common settings. On production keep things like API keys that need to be kept secret elsewhere - as a minimum outside the project directories and owned by a different user. | ||
| ▲ | senko 9 hours ago | parent | next [-] | |
Sure, that works as well, for example on some deploys I set the settings in systemd service file. However, it's more convenient to just have .env right there. > On production keep things like API keys that need to be kept secret elsewhere - as a minimum outside the project directories and owned by a different user. Curious what extra protection this gives you, considering the environment variables are, well, in the environment, and can be read by process. If someone does a remote code execution attack on the server, they can just read the environment. The only thing I can imagine it does protect is if you mistakenly expose project root folder on the web server. | ||
| ▲ | advisedwang 8 hours ago | parent | prev [-] | |
That's something that python-dotenv enables. It can pull from environment, which you can wire up from k8s secrets or whatever is the case for your hosting. | ||