Django App deployed on Heroku works despite wrong SECRET_KEY

In my Django project I have an .env file which holds my DJANGO_SECRET_KEY environment variable:

export DJANGO_SECRET_KEY=dummysecretkey123

I added a reference to the .env file in my .gitignore file before I initialized the repo, so the SECRET_KEY should not be visible in any repo tracked by git

In my settings.py I set my SECRET_KEY as follows:

SECRET_KEY = env.str("DJANGO_SECRET_KEY")

For deployment on Heroku I added SECRET_KEY via Config Vars in the Heroku Dashboard – everything worked as expected.

Then out of curiosity, I changed the SECRET_KEY in Heroku to a wrong value to see its effect. To my surprise the app was still online and working. I restared all dynos, but nothing changed. Then I checked the Heroku server’s environment variables via heroku run python manage.py shell > import os > print(os.environ) and could see the deliberately set wrong value for SECRET_KEY

What am I missing here? Isn’t the purpose of the SECRET_KEY to protect my app, meaning that if it is not set properly, the app should not be working?

Answer

The purpose of SECRET_KEY in django is described in official documentation.

It states:

The secret key is used for:

sessions,

messages,

PasswordResetView tokens,

cryptographic signing.