I am wondering whether I can generate a random secret key inside my Django application and assign it to the SECRET_KEY variable, instead of reading it from an environment variables. e.g.
# settings.py
from django.core.management.utils import get_random_secret_key
SECRET_KEY = get_random_secret_key()
Is this recommended, or bad practice?
This would call get_random_secret_key() each time the settings are loaded, therefore setting a different SECRET_KEY every time, which is not good. From the docs:
The secret key is used for:
- All sessions if you are using any other session backend than django.contrib.sessions.backends.cache, or are using the default get_session_auth_hash().
- All messages if you are using CookieStorage or FallbackStorage.
- All PasswordResetView tokens.
- Any usage of cryptographic signing, unless a different key is provided.
If you rotate your secret key, all of the above will be invalidated. Secret keys are not used for passwords of users and key rotation will not affect them.