Django project deployed to Heroku: Postgres security - Printable Version +- Python Forum (https://python-forum.io) +-- Forum: Python Coding (https://python-forum.io/forum-7.html) +--- Forum: Web Scraping & Web Development (https://python-forum.io/forum-13.html) +--- Thread: Django project deployed to Heroku: Postgres security (/thread-33061.html) |
Django project deployed to Heroku: Postgres security - Drone4four - Mar-26-2021 I’ve setup my Django settings.py in such a way that I can access the Postgres instance in the cloud containing my production data in my local development environment by running this command in my local venv shell and in this format: Quote:$ export DATABASE_URL=’postgres://USER:PASSWORD@HOST:PORT/NAME’` It’s a very helpful feature. I love it. As an example, here is a Postgres instance which contains placeholder content: Quote:$ export DATABASE_URL=‘postgres://shzxdfrkdiilyw:37ec5eee52abf4a772454d55e6a71779c05b6720622e945cad54f4fbf7e6f84d@ec2-54-84-98-18.compute-1.amazonaws.com:5432/dcjnf0h34cfsc5’ You would think that posting the above URI on a public forum like this one is terrible security practices however Heroku gives admins a tool to generate a new Postgres username/password combo. Here is the command: Quote:(venv) $ heroku pg:credentials:rotate Before starting this thread, I invoked it. So the hostname, port, and name remain the same, but the new Postgres user/password is completely different. If an attacker discovered my Postgres username, to brute force a password that is 64 characters long and a 36 charset size, this has 250 bits of entropy making it impossible to crack with current silicon. Here is my question for all of you now: Since the username/pass is now different, for confirmation and verification, my site is still secure and my data is protected, is this correct? |