Skip to content

Security Issue: SECRET_KEY and DEBUG Not Loaded from .env #56

New issue
New issue
Open
Open
Security Issue: SECRET_KEY and DEBUG Not Loaded from .env#56
@Jeong-Min-Cho

Description

@Jeong-Min-Cho
Jeong-Min-Cho
opened on Jan 23, 2026

Priority

Critical / Security

Description

In cheaper/settings.py, the Django SECRET_KEY and DEBUG values are not being loaded from environment variables, and instead appear to be hardcoded or incorrectly configured.

This is a critical security issue, especially for production deployments, as it can expose sensitive configuration and make it easy to accidentally run with DEBUG=True in production.

Link

https://github.com/evuventures/cheaper/blob/7724165c8ba14498e3d3923f5ade4cc1e1799daf/cheaper/settings.py#L23C11-L23C14

Current Behavior

  • SECRET_KEY is not being read from .env
  • DEBUG is not being read from .env

This prevents secure configuration via environment variables

Makes production deployments unsafe

Expected Behavior

Both values should be sourced from environment variables, for example:

import os

SECRET_KEY = os.getenv("DJANGO_SECRET_KEY")
DEBUG = os.getenv("DJANGO_DEBUG", "False").lower() == "true"

Recommendation (Urgent)

Load all sensitive settings from environment variables

Add .env to .gitignore

Rotate SECRET_KEY immediately if it was committed

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions