我应该将密钥放在Flask中的什么位置? [英] Where should I place the secret key in Flask?

问题描述

在阅读 exploreflask.com 时，我了解到最佳做法是使用两个不同的配置文件，一种用于开发，另一种用于生产.我不知道是否将密钥放置在开发或生产配置中.

While reading exploreflask.com, I learned that it is best practice to use two different config files, one for development and one for production. I don't understand whether to place the secret key inside of the development or production config.

实例文件夹的私有性质使其非常适合用于定义不想在版本控制中公开的键.其中可能包括您应用的秘密密钥或第三方API密钥.

The private nature of the instance folder makes it a great candidate for defining keys that you don’t want exposed in version control. These may include your app’s secret key or third-party API keys.

我认为不应共享密钥.应该在开发配置或生产配置中放置密钥，还是应该为每个配置使用不同的密钥?

I suppose the secret key shouldn't be shared. Should I put the secret key in the development config or the production config, or should I have a different key for each config?

推荐答案

在开发配置中放置一个秘密密钥，该密钥将提交给存储库.这对于开发人员很方便，因为他们不必生成一个就可以开始运行该应用程序.在生产环境中，请使用具有唯一密钥的生产环境配置(永远不会提交给存储库).生产配置应优先于开发配置.

Place a secret key in the development config, which gets committed to the repo. This is convenient for developers, because they don't have to generate one to start running the app. In production, use a production config (which is never committed to the repo), with a unique secret key. The production config should override the development config.

app = Flask(__name__, instance_relative_config=True)
# default value during development
app.secret_key = 'dev'
# overridden if this file exists in the instance folder
app.config.from_pyfile('config.py', silent=True)

如果您无法在生产环境中(例如在Heroku上)添加私有文件，则另一种选择是使用环境变量.如果设置了变量，它将覆盖默认值.

If you don't have a way to add private files in production, such as on Heroku, another option is to use environment variables. If the variable is set, it overrides the default.

app.secret_key = os.environ.get('SECRET_KEY', 'dev')

这篇关于我应该将密钥放在Flask中的什么位置?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！