[FIXED] Why hide a django secret key?

Issue

I wanted to ask, why should I hide the secret key in a Django application? Why not just commit it to public source control? I understand the effects of an attacker finding out the secret key (from here). But if I just upload the code to github and ask people to download it, run python manage.py runserver and go to 127.0.0.1:8000, I don't need to hide it, right? Don't those effects of revealing the secret key apply for when you run the code on your device using your device as a server, and have them visit it at a public URL? If they're running it on their own device, that doesn't pose a security risk to me, right? I read that knowing the secret key can allow them to bypass form validations, etc. But they would just be messing up the db of their own local installation of the app so why should I care?

Solution

If it's just application run on local machine I don't see reason to hide it, just make sure that user downloading your repo knows that SECRET_KEY is public, because if that person wants for some reason to have it publicly accessible it would pose risk to them. Best thing to do is not to set SECRET_KEY at all, so when user wants to run your app they will have to set their own secret

Answered By - TrueGopnik

Answer Checked By - Candace Johnson (PHPFixing Volunteer)