bisco/hoopscout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden production settings safety checks and docs

Browse Source
This commit is contained in:
Alfredo Di Stasio
2026-03-10 16:04:02 +01:00
parent 2586f15ae8
commit dd09b71eb4
5 changed files with 153 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
config/settings/base.py
View File

@ -1,8 +1,10 @@
from pathlib import Path
import logging
import os
from django.core.exceptions import ImproperlyConfigured
BASE_DIR = Path(__file__).resolve().parent.parent.parent
settings_logger = logging.getLogger("config.settings")
def env_bool(key: str, default: bool = False) -> bool:
@ -20,15 +22,39 @@ def env_list(key: str, default: str = "") -> list[str]:
DJANGO_ENV = os.getenv("DJANGO_ENV", "development").strip().lower()
SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "insecure-development-secret")
DEBUG = env_bool("DJANGO_DEBUG", False)
IS_DEVELOPMENT_ENV = DJANGO_ENV in {"development", "local", "dev"}
ALLOWED_HOSTS = env_list("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
CSRF_TRUSTED_ORIGINS = env_list(
"DJANGO_CSRF_TRUSTED_ORIGINS", "http://localhost,http://127.0.0.1"
)
if not DEBUG and SECRET_KEY in {"", "insecure-development-secret", "change-me-in-production"}:
raise ImproperlyConfigured("DJANGO_SECRET_KEY must be set to a strong value when DEBUG=0.")
DEFAULT_SECRET_KEY_MARKERS = {"", "insecure-development-secret", "change-me-in-production"}
def raise_config_error(message: str) -> None:
settings_logger.critical("Configuration error: %s", message)
raise ImproperlyConfigured(message)
def is_secret_key_unsafe(secret_key: str) -> bool:
if secret_key in DEFAULT_SECRET_KEY_MARKERS:
return True
if len(secret_key) < 32:
return True
lower = secret_key.lower()
return "change-me" in lower or "insecure" in lower or "default" in lower
if (not IS_DEVELOPMENT_ENV or not DEBUG) and is_secret_key_unsafe(SECRET_KEY):
raise_config_error(
"DJANGO_SECRET_KEY is unsafe. Set a strong, unique value for non-development environments."
)
if not DEBUG and not ALLOWED_HOSTS:
raise ImproperlyConfigured("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
raise_config_error("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
if not DEBUG and "*" in ALLOWED_HOSTS:
raise_config_error("DJANGO_ALLOWED_HOSTS must not contain '*' when DEBUG=0.")
INSTALLED_APPS = [
"django.contrib.admin",