Lesson 08

Settings by environment

Load sensitive and environment-specific settings from the environment instead of hard-coding production behavior.

settings
security
deployment

Good Code

config/settings.py

import os

SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]
DEBUG = os.environ.get("DJANGO_DEBUG") == "1"
ALLOWED_HOSTS = os.environ["DJANGO_ALLOWED_HOSTS"].split(",")

CSRF_TRUSTED_ORIGINS = [
    origin
    for origin in os.environ.get("DJANGO_CSRF_TRUSTED_ORIGINS", "").split(",")
    if origin
]

Bad Code

config/settings.py

SECRET_KEY = "dev-secret"
DEBUG = True
ALLOWED_HOSTS = ["*"]
CSRF_TRUSTED_ORIGINS = ["https://*"]

Review Notes

What to review

Good Code

The good version makes secrets and host rules explicit per environment. Production can fail fast when required values are missing.

Bad Code

The bad version ships permissive defaults. A reviewer cannot tell whether it is local-only code or production configuration waiting to leak.

Takeaways

Django settings are operational code; review them with security and deployment in mind.