G
G
gpm73152019-07-27 12:51:39
Information Security
gpm7315, 2019-07-27 12:51:39

What's the point of storing application "secrets" through environment variables?

Hey! I'll use Miguel Greenberg (Flask Mega Tutorial) as an example. First, he says, they say, we are deer to store access data to the database, mail, etc. in the application settings so that the attacker does not fuck us. We are smart and through the console we will manually enter data into environment variables (export DB_PASS="qwerty"). Through the chapter - "we're not deer every time with the same handles, we'll save everything in the .env file" Actually, what's the point of storing "secrets" in the .env file, instead of the config.py file? Is there a fundamental change in security? O_o

Answer the question

In order to leave comments, you need to log in

3 answer(s)
S
sim3x, 2019-07-27
@sim3x

Not only secrets are stored in configs, but also settings.
Such configs with secrets are regularly pushed into open turnips and regularly all data is merged from such careless citizens

D
Decadal, 2019-07-27
@Decadal

The difference is that the configs are under the git and the environment is not.
Because configs are instructions "how to configure" the application, and the environment is the values ​​themselves that need to be passed to the settings. So, the config knows in what form and format the application accepts, for example, the connection settings to the database (connection string for example). And the environment is the values ​​of the ports of a particular base, the user of a particular base, the password of a particular base, etc.

X
xmoonlight, 2019-07-27
@xmoonlight

YOURAPPLICATION_SETTINGS
Reading here and understanding that the environment variable replacement file can be located in an arbitrary path.
Those. this is done precisely for those purposes, so as not to accidentally upload secrets to the git or prevent an attacker from gaining access to it from the application (because it is OUTSIDE the application and access must be configured correctly!).
Also, immediately after setting the environment variables, you can force (optionally) change access / dismantle the source with the environment variable replacement file.
Also, take a look on the same page for configuration best practices: here

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question