While reading exploreflask.com, I learned that it is best practice to use two different config files, one for development and one for production. I don’t understand whether to place the secret key inside of the development or production config.
The private nature of the instance folder makes it a great candidate for defining keys that you don’t want exposed in version control. These may include your app’s secret key or third-party API keys.
I suppose the secret key shouldn’t be shared. Should I put the secret key in the development config or the production config, or should I have a different key for each config?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Place a secret key in the development config, which gets committed to the repo. This is convenient for developers, because they don’t have to generate one to start running the app. In production, use a production config (which is never committed to the repo), with a unique secret key. The production config should override the development config.
app = Flask(__name__, instance_relative_config=True)
# default value during development
app.secret_key = 'dev'
# overridden if this file exists in the instance folder
app.config.from_pyfile('config.py', silent=True)
If you don’t have a way to add private files in production, such as on Heroku, another option is to use environment variables. If the variable is set, it overrides the default.
app.secret_key = os.environ.get('SECRET_KEY', 'dev')
Method 2
I use a mixture of hardcoded values and environment variables in my production config.py:
import os
class Config(object):
SECRET_KEY = os.environ.get("SECRET_KEY")
SQLALCHEMY_DATABASE_URI = os.environ.get("DB_PROD")
SQLALCHEMY_TRACK_MODIFICATIONS = False
In my development config.py, eveything is hardcoded.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0