Python config files and Security



  • I've been building an app that uses bearer tokens. Normally I just stick most things in either and env var or using a CONFIG.py file.

    I am a bit worried about doing similar as this app is a lot bigger in terms of scale and usage.

    Is there a good guide on how to deal with python and configuration?



  • @lucas1 your config files are Python, yet you seem to not be able to use Python to retrieve data securely? What's wrong with you people?


  • Discourse touched me in a no-no place

    @lucas1 said in Python config files and Security:

    Is there a good guide on how to deal with python and configuration?

    The standard configparser module is the usual recommended thing, provided what you're doing can be described by a two-level set of key-value pairs. It's a pretty flexible system in my experience. Beyond that (and any pre- and post-processing stuff you layer on top) you're really into the space of “run some user-supplied code” or keeping the configuration in a database or whatever else you can dream up. Lots of options, but no standard.

    The main anti-pattern in this area is passing security tokens directly in arguments or environment variables; neither are considered secure. Passing the name of a file (system object) that holds the actual token is fine though.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.