Secure Your Project's Sensitive Information with Django-environ and .env Files

Photo by Faisal on Unsplash

Secure Your Project's Sensitive Information with Django-environ and .env Files

·

4 min read

It's crucial to uphold appropriate security practices in every software development project, including the protection of sensitive data like API keys, database credentials, and other configuration settings. Using a .env file is one of the most popular ways to accomplish this. We'll go over some best practices in this blog post as well as how to build up a .env file using Django-environ.

What is a .env file?

A .env file is a plain-text file that stores configuration information for your project. It typically contains environment variables that your application needs to function correctly, such as database connection details, API keys, and other sensitive information. By using a .env file, you can keep this information separate from your codebase and easily manage it without the risk of accidentally exposing it to others.

Setting up a .env file using Django-environ

Django-environ is a popular library that allows you to read environment variables from a .env file and set them as configuration variables in your Django settings file. Here's how to set it up:

  1. Install Django-environ using pip:

     pip install django-environ
    
  2. Create a .env file in the root directory of your project. In this file, add the environment variables that your project needs to function. For example such as your SECRET_KEY, Database Config and debug :

     DEBUG=True
     SECRET_KEY=django-insecure-ej!(yh6y4vytye6s#ps7zy5ta%gq=eezn$jyllx1d591r4zx7i
     DATABASE_NAME=leave_management
     DATABASE_HOST=localhost
     DATABASE_USER=postgres
     DATABASE_PASS=postgres
     DATABASE_PORT=5432
    
  3. In your Django settings.py file, import Django-environ:

     import environ
    
     env = environ.Env()
    
     # Read the .env file into os.environ
     environ.Env.read_env()
    

    In the above code, we first import the environ module from Django-environ. We then create an instance of the Env class, which provides a simple interface for reading environment variables. We use the read_env() method to read the .env file into the os.environ dictionary.

    By default, Django-environ expects the .env file to be located in the root directory of your project. However, you can also specify a custom filename and location by passing the filename to the read_env() method. For example, if your .env.local file is located in BASE_DIR in your project root, you can use the following code:

     environ.Env.read_env('.env', BASE_DIR )
    
  4. Finally, we use the env() method to set the values of DEBUG, SECRET_KEY, and DATABASES based on the values in the .env file like the following

     DEBUG = env('DEBUG', default=False)
     SECRET_KEY = env('SECRET_KEY')
     DATABASES = {
         'default': {
             'ENGINE': 'django.db.backends.postgresql',
             'NAME': env('DATABASE_NAME'),
             'USER': env('DATABASE_USER'),
             'PASSWORD': env('DATABASE_PASS'),
             'HOST': env('DATABASE_HOST'),
             'PORT': env('DATABASE_PORT'),
         }
     }
    

    In this example, if there is no value for DEBUG in the .env file, the default value of False will be used.

Best practices for using a .env file

Now that you know how to set up a .env file using Django-environ let's go over some best practices for using it:

  • Don't commit your .env file to version control. This file contains sensitive information that should not be shared with others. Instead, add it to your .gitignore file so that it's not accidentally committed.

  • Use a sample .env file eg .env.sample. Instead of creating an empty .env file, create a sample file that contains all the environment variables needed for your project, with empty values. This sample file can be committed to version control and shared with others.

  • Use default values. In your code, always specify default values for environment variables in case they are not set in the .env file. This will help prevent errors if the .env file is missing or incomplete.

  • Use different .env files for different environments. You may have different configuration settings for your development, staging, and production environments. Use separate .env files for each environment and keep them in separate directories.

  • Keep your .env file up-to-date. If you add or remove environment variables from your project, make sure to update the corresponding values in

Conclusion

Using a .env file is a simple but effective way to manage sensitive information in your project. By using Django-environ, you can easily read environment variables from a .env file and set them as configuration variables in your Django settings file. Just remember to follow best practices, such as not committing your .env file to version control and using a sample file. With these practices in mind, you can ensure that your project's sensitive information remains secure.