Django settings contain sensitive data and debug is default on about pyshelf HOT 7 CLOSED

SECRET_KEY = "@(9b9jslgg41u1u=mr)-2*-n2x0vef0zsy39*z@sz18&tvow18"
The secret key should be randomly generated for each install of pyshelf, This is probably something we will have to handle during the setup phase, probably by generating one into the config.json, and referencing it

DEBUG = TEMPLATE_DEBUG = True
if DEBUG is True:
    from pudb.remote import set_trace
ALLOWED_HOSTS = CONFIG.allowed_hosts

The django test server requires the debug setting to be true in order to correctly reference static files.https://docs.djangoproject.com/en/3.0/howto/static-files/, in an attempt to make the project more accessible to new users I have chosen to leave the debug setting to true that they may easily host the frontend. The README should be updated to reflect this to users so they may toggle it off during their install.

My thoughts are that if they dont know how to setup a web server, and have been warned against using the testserver and still choose to then security isnt a concern for them.

from pyshelf.

DEBUG = TEMPLATE_DEBUG = True
if DEBUG is True:
    from pudb.remote import set_trace
ALLOWED_HOSTS = CONFIG.allowed_hosts

The django test server requires the debug setting to be true in order to correctly reference static files.https://docs.djangoproject.com/en/3.0/howto/static-files/, in an attempt to make the project more accessible to new users I have chosen to leave the debug setting to true that they may easily host the frontend. The README should be updated to reflect this to users so they may toggle it off during their install.

My thoughts are that if they dont know how to setup a web server, and have been warned against using the testserver and still choose to then security isnt a concern for them.

I see, I stumbled on this, because we git pull the repository into the docker image and therefor the docker runs in debug mode instead of production mode. In order to circumvent this, we should have a way to pull or download a release version.

from pyshelf.

Sounds like were gonna need to set that in config sooner then later

from pyshelf.

As an alternative to using debug settings, Whitenoise supports serving static files for Django in production.

from pyshelf.

As an alternative to using debug settings, Whitenoise supports serving static files for Django in production.

This looks promising.

from pyshelf.

Django secret keys now generate on a per-install basis 0fc3d44

from pyshelf.

As of version 0.6.0 this is no longer an issue.

from pyshelf.