Shantanu Nighot



How to hide Django SECRET_KEY on Public Repositories.

Hide sensitive data from source code with Heroku config vars.

Shantanu Nighot's photo
Shantanu Nighot
·May 8, 2021·

2 min read

How to hide Django SECRET_KEY on Public Repositories.
Play this article

While working on the Django project you may have seen variables like SECRET_KEY and other DATABASE-related information which is considered sensitive. When uploading the source code of deployed Django project on the internet, these data should be properly managed to avoid any misuse. But removing them from repo every time you push your data can become a hectic job and can cause errors in production.

Let's consider my Django project named " quotes-gen-project " deployed on Heroku. It shows the random quote from the database with its author name and also allows visitors to add more quotes. This is my first Django project so I kept it as simple as possible.


You can visit the Github repo for the source code of this project.

After Deploying the project on Heroku, you will have the following variables in the file.

SECRET_KEY = 'your-django-secret-key'
      'default': {
        'ENGINE': 'your-database-engine name',
        'NAME': 'database-name',
        'USER': 'database-username',
        'PASSWORD': 'database-password',
        'HOST': 'database-host'
        'PORT': '5432',

Now follow the below steps to add the above environment variables in our Heroku config vars.

  • Login to your Heroku account
  • Select your Heroku app
  • Go to settings
  • And click on Reveal Config vars.


Here you need to add the key and value for the variables you want to add. For example, add SECRET_KEY in key and your-django-secret-key in value without quotes. Do this for all other variables like NAME, USER, PASSWORD, and HOST.


You have now added config vars in the app and need to do some changes to address them from our code.

Go to the file and do the following changes.

SECRET_KEY = os.getenv('SECRET_KEY')
      'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': os.getenv('NAME'),
        'USER': os.getenv('USER'),
        'PASSWORD': os.getenv('PASSWORD'),
        'HOST': os.getenv('HOST'),
        'PORT': '5432',

And that's it.

Now run the following commands in the command prompt in your project root directory and check that everything is working as before.

git add -A
git commit -m "commit messege"
git push heroku master
heroku open

Hurray, you were able to hide sensitive data from source code and can now share your work with the world without any worries.

Thanks for checking out this blog. I hope this information was helpful for you. Let me know by commenting below.

Did you find this article valuable?

Support Shantanu Nighot by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
Share this