I have to write this post now lest I forget what I have to say.
I have been developing a website for a dear friend Patrick Joseph. While I am almost done with the most bits of the puzzle, I have two really cool things to share about Heroku.
- SparkPost plugin (I will be covering this in a later blog post)
- Heroku environment variables
As a developer, I indulge in bad behavior when I let my private settings show up on the repository source code (example: the
SECRET_KEY for the CSRF tokens for my app, my personal email address etc). I am sure you would agree this is a terrible idea especially if that app is a Production website like the one I’m building.
The perfect way to get this sorted is by having an isolated environment settings file which doesn’t leave the server (much like the private key in SSL encryption). When I added SparkPost to my Heroku app, I stumbled across the environment variables. The simplicity appealed to me and I decided to migrate to more environment variables. This post outlines some basic items on that front –
How do you add environment variables
This post tells you about it. But the simplest way would be to go to your Heroku dashboard and look at the settings panel.
The command line –
# Set the variable $ heroku config:set MY_VARIABLE=blahblahblah Setting config vars and restarting app... done MY_VAR: blahblahblah # Get the variable $ heroku config:get MY_VARIABLE blahblahblah # Delete the variable $ heroku config:unset MY_VARIABLE Unsetting MY_VAR and restarting app... done
Using environment variables in Flask
To use the environment variables do the following:
- Setup a
.envfile in your local app folder with the configuration key, value pairs. [Make sure that you ignore this file in your version control.]
- Update your Flask config with these variables and use them.
# Import environ to access the variables from os import environ # Initialize configuration values from config file app.config.from_object('config.ProductionConfig') # Update configuration to include the environ settings app.config.update(environ)
Migrating sensitive variables
Let’s say that you already have exposed some sensitive variables, how do you make sure that you migrate them over to this new setup on Heroku? Simple –
- Remove the sensitive variables from your repository.
- Update your code using the tips above.
- If possible, change the values of your sensitive variables (so that they are further secure).
- Squash your commits a.k.a. remove history
Simply updating your code will not provide you a 100% security. Your commit history still has all the sensitive data in the public domain and hence squashing your commit history removes the greater part of the history while the code still remains intact.
Note: If you think it is better to have a paid subscription of Github or Bitbucket, great! I cannot afford a paid subscription of Github or Bitbucket for my private projects and hence I tend to take a few extra steps wherever possible with security.