I am making a boiler plate for a Django backend and I need to be able to make it to where the next person who downloads it won't have access to my secrot key obviously, or have a different one. I have been researching some options and have become experimental in this process. I have tried the following:
from django.core.management.utils import get_random_secret_key
SECRET_KEY = get_random_secret_key()
This appears to be working. I am assume it generates a new key everytime I run python manage.py runserver. Is this going to be a problem for a production environment? This is really for a heroku deploy, is there a better way I should be doing this with a public repo? I imagine what I am doing now is going to break something.
You guess is correct, secret key should not change on every run. Other people should create their own manually and then commit to their repo. Another way is to load it from environmental variables and let them place their key there.
About second question - the only reason you would need to do it is compromising the key. According to docs:
The secret key is used for:
All sessions if you are using any other session backend than django.contrib.sessions.backends.cache, or are using the default get_session_auth_hash().
All messages if you are using CookieStorage or FallbackStorage.
All PasswordResetView tokens.
Any usage of cryptographic signing, unless a different key is provided.
So changing it will probably log out all users and invalidate password/reset links. It is not what you would like to do on regular basis, but not a complete disaster.