It's crucial to uphold appropriate security practices in every software development project, including the protection of sensitive data like API keys, database credentials, and other configuration settings. Using a .env file is one of the most popular ways to accomplish this. We'll go over some best practices in this blog post as well as how to build up a .env file using Django-environ.
What is a .env
file?
A .env file is a plain-text file that stores configuration information for your project. It typically contains environment variables that your application needs to function correctly, such as database connection details, API keys, and other sensitive information. By using a .env file, you can keep this information separate from your codebase and easily manage it without the risk of accidentally exposing it to others.
Setting up a .env
file using Django-environ
Django-environ is a popular library that allows you to read environment variables from a .env
file and set them as configuration variables in your Django settings file. Here's how to set it up:
Install Django-environ using pip:
pip install django-environ
Create a
.env
file in the root directory of your project. In this file, add the environment variables that your project needs to function. For example such as yourSECRET_KEY, Database Config and debug
:DEBUG=True SECRET_KEY=django-insecure-ej!(yh6y4vytye6s#ps7zy5ta%gq=eezn$jyllx1d591r4zx7i DATABASE_NAME=leave_management DATABASE_HOST=localhost DATABASE_USER=postgres DATABASE_PASS=postgres DATABASE_PORT=5432
In your Django
settings.py
file, import Django-environ:import environ env = environ.Env() # Read the .env file into os.environ environ.Env.read_env()
In the above code, we first import the
environ
module from Django-environ. We then create an instance of theEnv
class, which provides a simple interface for reading environment variables. We use theread_env()
method to read the.env
file into theos.environ
dictionary.By default, Django-environ expects the
.env
file to be located in the root directory of your project. However, you can also specify a custom filename and location by passing the filename to theread_env()
method. For example, if your.env.local
file is located inBASE_DIR
in your project root, you can use the following code:environ.Env.read_env('.env', BASE_DIR )
Finally, we use the
env()
method to set the values ofDEBUG
,SECRET_KEY
, andDATABASES
based on the values in the.env
file like the followingDEBUG = env('DEBUG', default=False) SECRET_KEY = env('SECRET_KEY') DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': env('DATABASE_NAME'), 'USER': env('DATABASE_USER'), 'PASSWORD': env('DATABASE_PASS'), 'HOST': env('DATABASE_HOST'), 'PORT': env('DATABASE_PORT'), } }
In this example, if there is no value for
DEBUG
in the.env
file, the default value ofFalse
will be used.
Best practices for using a .env
file
Now that you know how to set up a .env file using Django-environ let's go over some best practices for using it:
Don't commit your .env file to version control. This file contains sensitive information that should not be shared with others. Instead, add it to your .gitignore file so that it's not accidentally committed.
Use a sample
.env
file eg.env.sample
. Instead of creating an empty.env
file, create a sample file that contains all the environment variables needed for your project, with empty values. This sample file can be committed to version control and shared with others.Use default values. In your code, always specify default values for environment variables in case they are not set in the .env file. This will help prevent errors if the .env file is missing or incomplete.
Use different .env files for different environments. You may have different configuration settings for your development, staging, and production environments. Use separate .env files for each environment and keep them in separate directories.
Keep your
.env
file up-to-date. If you add or remove environment variables from your project, make sure to update the corresponding values in
Conclusion
Using a .env
file is a simple but effective way to manage sensitive information in your project. By using Django-environ, you can easily read environment variables from a .env
file and set them as configuration variables in your Django settings file. Just remember to follow best practices, such as not committing your .env
file to version control and using a sample file. With these practices in mind, you can ensure that your project's sensitive information remains secure.