First I would like to thank the Dash/Plotly developers for this amazing and easy to use library!
I implemented the Basic Auth Example from https://dash.plot.ly/authentication (So i hardcoded a username/password in my code) and am running my App on Heroku.
I’m in no way an expert on security but hard-coding my password in my code does not feel very safe to me. Can I safely show sensitive date in my app or would someone be able to hack into it? In my app people would not be allowed to create accounts, the password is only there to protect sensitive data.
Please let me know if this is the wrong place to ask this question and whether I should direct my question to Flask or Heroku.
The contents of the Python file won’t be exposed to any users of your app, but there are other reasons why you might not want those to appear within the file.
Another way to do this is to read your usernames and passwords from environment variables using
os.getenv. The environment variable could contain the credentials themselves, or the path to a file to read.
@nedned Is there any security benefit in using environment variables? Or is it just for convenience and cleaner code?
Using environment variables for security credentials is vastly safer than putting them inside your code. If they live in your code, then they’re probably also in version control, which means they tend to stick around for ever, available for access by anyone who happens across the codebase. Sometimes a webserver can be misconfigured, exposing a script to the public also.
There are security folk who will tell you environment variables have their issues too. But for the majority of purposes I think they probably provide a sufficient degree of security.
Thanks for asking this question, came across it in Google.
Also suggest using environment variables or another PW manager. Since I use AWS for just about everything I really like using AWS secrets manager in my python apps. That way if credentials like API keys used across multiple apps change, as they should be rotated, you can update them in just one place and not have to mod a bunch of deploy scripts.
If this is your only app, still use environment variables though.