Heroku Environment Settings with Flask

I have to write this post now lest I forget what I have to say.

I have been developing a website for a dear friend Patrick Joseph. While I am almost done with the most bits of the puzzle, I have two really cool things to share about Heroku.

  • SparkPost plugin (I will be covering this in a later blog post)
  • Heroku environment variables

As a developer, I indulge in bad behavior when I let my private settings show up on the repository source code (example: the SECRET_KEY for the CSRF tokens for my app, my personal email address etc). I am sure you would agree this is a terrible idea especially if that app is a Production website like the one I’m building.

The perfect way to get this sorted is by having an isolated environment settings file which doesn’t leave the server (much like the private key in SSL encryption). When I added SparkPost to my Heroku app, I stumbled across the environment variables. The simplicity appealed to me and I decided to migrate to more environment variables. This post outlines some basic items on that front –

How do you add environment variables

This post tells you about it. But the simplest way would be to go to your Heroku dashboard and look at the settings panel.

A sample URL – https://dashboard.heroku.com/apps/<your-app-name-goes-here>/settings

The command line –

# Set the variable
$ heroku config:set MY_VARIABLE=blahblahblah
Setting config vars and restarting app... done
MY_VAR: blahblahblah

# Get the variable
$ heroku config:get MY_VARIABLE
blahblahblah

# Delete the variable
$ heroku config:unset MY_VARIABLE
Unsetting MY_VAR and restarting app... done

Using environment variables in Flask

To use the environment variables do the following:

  • Setup a .env file in your local app folder with the configuration key, value pairs. [Make sure that you ignore this file in your version control.]
  • Update your Flask config with these variables and use them.
# Import environ to access the variables
from os import environ

# Initialize configuration values from config file
app.config.from_object('config.ProductionConfig')

# Update configuration to include the environ settings
app.config.update(environ)

Migrating sensitive variables

Let’s say that you already have exposed some sensitive variables, how do you make sure that you migrate them over to this new setup on Heroku? Simple –

  • Remove the sensitive variables from your repository.
  • Update your code using the tips above.
  • If possible, change the values of your sensitive variables (so that they are further secure).
  • Squash your commits a.k.a. remove history

Simply updating your code will not provide you a 100% security. Your commit history still has all the sensitive data in the public domain and hence squashing your commit history removes the greater part of the history while the code still remains intact.

Note: If you think it is better to have a paid subscription of Github or Bitbucket, great! I cannot afford a paid subscription of Github or Bitbucket for my private projects and hence I tend to take a few extra steps wherever possible with security.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s