Python config files and Security



  • I've been building an app that uses bearer tokens. Normally I just stick most things in either and env var or using a CONFIG.py file.

    I am a bit worried about doing similar as this app is a lot bigger in terms of scale and usage.

    Is there a good guide on how to deal with python and configuration?



  • @lucas1 your config files are Python, yet you seem to not be able to use Python to retrieve data securely? What's wrong with you people?


  • Discourse touched me in a no-no place

    @lucas1 said in Python config files and Security:

    Is there a good guide on how to deal with python and configuration?

    The standard configparser module is the usual recommended thing, provided what you're doing can be described by a two-level set of key-value pairs. It's a pretty flexible system in my experience. Beyond that (and any pre- and post-processing stuff you layer on top) you're really into the space of “run some user-supplied code” or keeping the configuration in a database or whatever else you can dream up. Lots of options, but no standard.

    The main anti-pattern in this area is passing security tokens directly in arguments or environment variables; neither are considered secure. Passing the name of a file (system object) that holds the actual token is fine though.


Log in to reply