Don't keep sensitive information in your Django settings

🤯 2020 Edit: This is a pretty old post. I've since learned that using environment variables is a much better way to handle sensitive data without having to worry about it ending up in Git. Here's a good post on the subject.

The approach I've outlined here is actually a better way to handle multiple settings files (dev, staging & production).

If you are checking your settings.py into your git repository you must make sure you aren't including any potentially sensitive information such as database passwords, secret keys and so on.

A quick and easy way to avoid this is to create a separate private.py file:

settings.py
DATABASES = {
  'ENGINE' : 'django.db.backends.postgresql_psycopg2',
  'NAME' : 'dbname',
  'USER' : 'dbusername',
  'PASSWORD' : 'dbpassword'
}
SECRET_KEY = '...'

and import it in your settings.py:

from private import *
# ...

while blocking it via your .gitignore