我应该将密钥放在 Flask 的什么位置? [英] Where should I place the secret key in Flask?

问题描述

在阅读 exploreflask.com 时，我了解到最好使用两个不同的配置文件，一种用于开发，一种用于生产.我不明白是将密钥放在开发配置还是生产配置中.

While reading exploreflask.com, I learned that it is best practice to use two different config files, one for development and one for production. I don't understand whether to place the secret key inside of the development or production config.

实例文件夹的私有性质使其成为定义您不希望在版本控制中公开的密钥的理想选择.这些可能包括您应用的密钥或第三方 API 密钥.

The private nature of the instance folder makes it a great candidate for defining keys that you don’t want exposed in version control. These may include your app’s secret key or third-party API keys.

我认为不应共享密钥.我应该将密钥放在开发配置还是生产配置中，还是应该为每个配置使用不同的密钥?

I suppose the secret key shouldn't be shared. Should I put the secret key in the development config or the production config, or should I have a different key for each config?

推荐答案

在开发配置中放置一个秘钥，该秘钥被提交到 repo.这对开发人员来说很方便，因为他们不必生成一个就可以开始运行应用程序.在生产中，使用具有唯一密钥的生产配置(从不提交到存储库).生产配置应该覆盖开发配置.

Place a secret key in the development config, which gets committed to the repo. This is convenient for developers, because they don't have to generate one to start running the app. In production, use a production config (which is never committed to the repo), with a unique secret key. The production config should override the development config.

app = Flask(__name__, instance_relative_config=True)
# default value during development
app.secret_key = 'dev'
# overridden if this file exists in the instance folder
app.config.from_pyfile('config.py', silent=True)

如果您没有办法在生产中添加私有文件，例如在 Heroku 上，另一种选择是使用环境变量.如果设置了变量，它将覆盖默认值.

If you don't have a way to add private files in production, such as on Heroku, another option is to use environment variables. If the variable is set, it overrides the default.

app.secret_key = os.environ.get('SECRET_KEY', 'dev')

这篇关于我应该将密钥放在 Flask 的什么位置?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！