Let’s take a look at an easy module today – the Python-dotenv module. A lot of the time on a website, you might wonder as to how the security of this website could be threatened as some aspects of the code are bound to have to receive information from an endpoint or a particular domain.
A good example of this would be the utilization of SECRET_KEYS in GitHub, or the usage of them in Django projects.
While it might be fine to have these keys/secrets exposed during development, it’s quite risky to continue to let them stay out in the open even in the production stage when it’s open to everyone.
This might lead to a lot of issues with malicious people trying to DDoS attack, or retrieve vital information from your website or application.
So, you might ask, what’s the solution to this, and how do I keep my credentials safe?
Well, fortunately, we have the python-dotenv module that can help us work with SECRETS and KEYS without exposing them to the outside world, and keep them safe during development too!
1.0 How does python-dotenv work?
To simply answer your question, it’s by introducing the concept of a file that contains all of the credentials in one place.
We’ll be using this file everywhere, whenever we need the credentials, but, without exposing any of the keys themselves, as the file only exists on the development system, or the hosting system, and is not available as a part of the code itself.
1.1 What’s the name of this file?
The file is named with a .env extension in most places, and is named as such even in this article.
1.2 Accessing this file in the code?
We’ll be using a handy module called the python-dotenv module in order to use these SECRET_KEYS, in the code.
The python-dotenv module is configured in the settings.py file in the project, and is done in such a way that we can access keys pretty discretely.
It’s a pretty simple idea and you’ll know what I mean by the time we’re done, so, let’s get to working with it!
Installing python-dotenv
The installation of the python-dotenv module is pretty straightforward and can be achieved through a simple command, for the pip manager,
pip install -U python-dotenv
Using the python-dotenv module
If you’re done installing it, let’s get to setting up the rest of the code so that you never have to worry about exposing your credentials again.
2.1 Setting up .env
Before you go ahead with trying to use credentials in your project files, it is important to note that you first need to have details recorded in your .env file to be able to use them.
So, let’s create a .env file, and input some credentials into it, which we will be using in the project.
# .env file
SECRET_KEY=v%)9n7kg^65(4-uir6!pa@oqqsdn8agv9h8_#ohn*55$th-gff
DOMAIN=tester.org
EMAIL=admin@${DOMAIN}
We’ve inserted our randomly generated SECRET_KEY, DOMAIN, and EMAIL, into the .env file, and that’s about enough for now.
2.2 Working with settings.py to parse credentials
A large number of projects use the settings.py file in order to specify settings that are particular to their project.
In the Django Framework, the settings.py file is used to record information regarding the components of the project that are used, as well as specifications that are crucial to connecting the project together.
There is a similar reasoning behind the creation of the settings.py in the Flask Framework as well.
As such, we’re going to create our own settings.py which can help us use the python-dotenv module to work with SECRETS in our projects, as an example.
# settings.py
## importing the load_dotenv from the python-dotenv module
from dotenv import load_dotenv
## using existing module to specify location of the .env file
from pathlib import Path
import os
load_dotenv()
env_path = Path('.')/'.env'
load_dotenv(dotenv_path=env_path)
# retrieving keys and adding them to the project
# from the .env file through their key names
SECRET_KEY = os.getenv("SECRET_KEY")
DOMAIN = os.getenv("DOMAIN")
EMAIL = os.getenv("EMAIL")
In case you wish to follow along or edit an existing settings.py, feel free to do so, as the procedure is quite simple and does not pose a risk.
- Importing the python-dotenv module
In this code, we import the python-dotenv for the load_dotenv functionality, which sets the environment variable keys for us to work with. This means that all the SECRETS in the .env file, can now be accessed as environment variables for this project.
We import the Path function from the pathlib module to access the .env file, and the os module to work with the environment variable keys that are created due to the python-dotenv module.
- The env_path variable
We use the env_path as a means to specify the directory in which the .env file is stored.
In this example, the file is stored in the same directory as the settings.py, and so the current directory is specified.
- The os.getenv function
This is the function that is used to retrieve the environment variable keys, if they exist.
We use this function to retrieve the keys that we need from the .env file.
2.3 Suggestions for distributed development of applications
During the development stage, it is a good idea to keep your team informed about the required credentials and provide them with their own copies of the .env file. This way, they can work on the project, test, and debug without any issue.
Keep in mind that there’s an option to generate a new secret key in the case that you’ve accidentally exposed it, so, there’s no need to panic.
Plus, it’s generally a good idea to generate a new key before deployment as a safety measure!
Conclusion
A large number of security vulnerabilities can be resolved by taking care of leaked credentials, and the python-dotenv helps in developing a safer project environment to work with, both, during and after development as well.
They can be applied to working with a large number of web based applications or just frameworks like Django and Flask.
Overall, there’s quite the sense of being able to sleep at night comfortably, knowing that people won’t be able to get their hands on your copy of the .env file.
Here’s to a more secure system, Cheers!