In my Django project I have an
.env file which holds my
DJANGO_SECRET_KEY environment variable:
I added a reference to the
.env file in my
.gitignore file before I initialized the repo, so the SECRET_KEY should not be visible in any repo tracked by git
settings.py I set my
SECRET_KEY as follows:
SECRET_KEY = env.str("DJANGO_SECRET_KEY")
For deployment on Heroku I added
SECRET_KEY via Config Vars in the Heroku Dashboard – everything worked as expected.
Then out of curiosity, I changed the
SECRET_KEY in Heroku to a wrong value to see its effect. To my surprise the app was still online and working. I restared all dynos, but nothing changed. Then I checked the Heroku server’s environment variables via
heroku run python manage.py shell >
import os >
print(os.environ) and could see the deliberately set wrong value for
What am I missing here? Isn’t the purpose of the
SECRET_KEY to protect my app, meaning that if it is not set properly, the app should not be working?
The purpose of SECRET_KEY in django is described in official documentation.
The secret key is used for: