Skip to content

Remove SECRET_KEY from production.py

One-sentence description

Remove default SECRET_KEY value from production.py settings

Why?

The SECRET_KEY should always be set in production.py, so it is a better idea to crash when it isn't set, than to use a default nonsecure key.

Current implementation

A default key is set in production.py. (https://gitlab.science.ru.nl/thalia/concrexit/blob/23b79eb4461ac082a94d7a0c4318c0a848743c67/website/thaliawebsite/settings/production.py#L29)

Suggested implementation

SECRET_KEY = os.environ.get('DJANGO_SECRET')

or, the following, which throws an IndexError when the key isn't present

SECRET_KEY = os.environ.environ['DJANGO_SECRET']
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information