[Flask] Database credentials in clear text

Jonathan Chen tamasiaina at gmail.com
Tue Jul 28 17:10:49 CEST 2015

Yeah, I've had experience with a "credential wallet" type of product with
Oracle applications. Nothing like that I know of exists currently for
Python. For test/development it really doesn't matter if the cleartext is
available there, but in production there are a few strategies that a devops
person can do to make sure that it is more secure. One of the things that
you should make sure to avoid is exposing the file by accident. Another
thing that you could do is to have the credentials placed in the Python
Path somewhere and have the config import it in. By doing that you can make
sure that your DevOps people know the password, but the developers do not
know. Other than typical database security there isn't much you can do to
protect the config file from being viewed by a simple text editor.

I believe that if you are using Apache, and I could be wrong, is that you
need to make sure that your uwsgi file is not at the root of your app
because it can expose your other files within your app folder.

~Jonathan C.

On Tue, Jul 28, 2015 at 7:46 AM, Matt Shields <matt at mattshields.org> wrote:

> So far as I've been developing all my credentials have been contained in a
> config.py file in clear text.  Is there any way to not keep these in clear
> text or in a file in the application path?
> One of our .NET developers mentioned that when they are developing .NET
> apps, they put all their credentials into the Windows Locker and their app
> is authorized to get the credentials as needed.
> Matt
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20150728/c879160d/attachment.html>

More information about the Flask mailing list