问题描述

我正在构建一个flask应用程序，并使用dotenv文件将一些变量切换到环境中，例如生产，开发和测试。

I'm building a flask application and use dotenv file to switch some variables up to environment, such as production, development, and testing.

AFAIK dotenv主要用于安全目的，那么一旦开始运行应用程序，我应该从服务器上删除dotenv文件吗？

如果是这样，当应用程序关闭时，我需要从某个地方拉出dotenv，重新运行该应用程序，然后然后再次删除文件。

AFAIK dotenv is mainly used for security purpose, so should I delete dotenv file from the server once I started to run the application?
If so, when the application is down I would need to pull the dotenv from somewhere, re-run the application, and then delete the file again.

将dotenv文件保留在服务器中不是一个好主意，

，但是上面听起来有点

It's not likely to be a good idea to leave dotenv file in the server,
but the above sounds a little bit annoying from an operation perspective.

最佳实践是什么？

推荐答案

正确保护此文件的方法是使用UNIX文件许可证。

The correct way to protect this file is with UNIX file perms.

chmod 600 .env

然后使用 ls -l .env 检查烫发是否正确：

Then check the perms look correct with ls -l .env:

-rw-------  1 appuser somegroup  0 Oct 18 01:23 .env

任何人使用该用户帐户的shell访问权限，可以读取文件，但也可以使用 set 命令查看所有环境变量。采取上述步骤可以防止其他系统用户读取文件。

Anyone who has shell access with this user account, could read the file, but could also use the set command to view all environment variables. Taking the above step prevents other system users from reading the file.

dotenv 的安全性是这样可以防止您将机密硬编码到您的 .py 文件中，这会使它们被提交到源代码管理中。

The security aspect of dotenv is that it prevents you hard-coding secrets into your .py files which would result in them being committed to source control.

这篇关于您是否将dotenv文件保留在服务器中？还是删除它？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！