Forums

Not using .env file, is this a security vulnerability?

I want to store my config and variables outside of my code (views.py and other files). As I understand this is a measure of good practice and security. With the help of others posts on PA forums I’ve got a functioning site using a config.py file and no app.config variables defined within my code. Doesn’t seem that I need the .env file.

Other possibly useful criteria:

  • Config.py is stored in /home/CostaRica/mysite/config.py
  • My init.py file refers to config through app.config.from_pyfile('/home/CostaRica/mysite/config.py')
  • My wsgi.py file is unchanged

Am I missing something? Am I practicing good security based on these criteria so far? Sorry for open ended question. I don’t feel I understand .env and config.py. I’m hoping someone with more experience can fill in the gap I’m missing on this process.

Separating your secrets from your code makes sense when you keep it in a public repository. In that scenario it's recomended not to commit your .env file.

How about config.py would that go in a public repository?

Maybe I should be storing things that need to be secured in .env then somehow reference the secure things from .env in config.py. Then config.py could be shared and anyone using it would have to fill in their own .env variables?

The important thing is to make sure that your private information doesn't wind up in the repository -- and in particular to make sure that you minimise the risk of accidentally committing it into the repo. Because your .env files will normally live outside the repository's directory, that makes them a good solution for doing that, but another is to keep them in a separate config file that is explicitly listed in a .gitignore file. The git-ignore thing is important to avoid the risk of accidentally doing a git add . and accidentally committing it.

Hello all. I'm new here. Who can vew python files on the servers?

By default, only you can see files that you store on PythonAnywhere. If you nominate another PythonAnywhere account as your teacher from the "Account" page, then they can also see your files. If you share a file using the "Share" button in the editor, then of course people with a link to that shared file can see it. And if you set up a web site on the "Web" page, then you can configure things so that certain files are viewable by others there. Finally, the PythonAnywhere system admins can see your files, but we will only look at them with your explicit permission as part of helping you solve a problem, or if you are somehow causing problems with the system (for example, if you appear to be running a phishing or otherwise illegal website).