Don't keep sensitive information in your Django settings

If you are checking your settings.py into Git, make sure you aren't including any potentially sensitive information such as database passwords, secret keys and so on. A quick and easy way to avoid this is to create a separate sensitive.py file.

2020 Edit

This is a pretty old post. I've since learned that using environment variables is a much better way to handle sensitive data without having to worry about it ending up in Git. Here's a good post on the subject.

The approach I've outlined here is actually a better way to handle multiple settings files (dev, staging & production).

If you are checking your settings.py into your git repository you must make sure you aren't including any potentially sensitive information such as database passwords, secret keys and so on.

A quick and easy way to avoid this is to create a separate private.py file:

settings.py
DATABASES = {
  'ENGINE' : 'django.db.backends.postgresql_psycopg2',
  'NAME' : 'dbname',
  'USER' : 'dbusername',
  'PASSWORD' : 'dbpassword'
}
SECRET_KEY = '...'

and import it in your settings.py:

from private import *
# ...

while blocking it via your .gitignore