$30 off During Our Annual Pro Sale. View Details »

Oops I Committed My Secret Key

Oops I Committed My Secret Key

Lightning talk given at DjangoCon US 2016

Philip James

July 20, 2016
Tweet

More Decks by Philip James

Other Decks in Technology

Transcript

  1. Oops I Commi*ed My
    Secret Key
    Philip James
    @phildini
    h*ps:/
    /www.wordfugue.com

    View Slide

  2. $ django-admin.py startproject bestthingever
    $ git init
    $ git add .
    $ git commit -m "Initial commit”
    $ git push origin master

    View Slide

  3. View Slide

  4. Wait, have I?

    View Slide

  5. YES.
    Signed Cookies
    Secure Sessions
    Password Reset Tokens

    View Slide

  6. What do I do?

    View Slide

  7. import os
    import warnings
    from django.core.exceptions import ImproperlyConfigured
    def get_env_variable(var_name):
    """ Get the environment variable or return exception """
    try:
    return os.environ[var_name]
    except KeyError:
    error_msg = "Set the %s env variable" % var_name
    if DEBUG:
    warnings.warn(error_msg)
    else:
    raise ImproperlyConfigured(error_msg)

    View Slide

  8. SECRET_KEY = get_env_variable("SECRET_KEY")

    View Slide

  9. How do I get a new key?

    View Slide

  10. h*p:/
    /www.miniwebtool.com/django-secret-key-generator/
    $ python manage.py shell
    >>> from django.utils.crypto import get_random_string
    >>> get_random_string(length=50)

    View Slide

  11. What about my users?

    View Slide

  12. OpOonal: No permanent key

    View Slide

  13. Thanks.
    @phildini
    h*p:/
    /bit.ly/secret-key
    Come back at
    1:15PM for
    “Cat on yer head”!

    View Slide