[ceol]

For Python website projects, I enforce the creation of a _secrets.py file in the config folder that is ignored by git and contains all sensitive constants like database information and tokens. Then, in the _base.py settings file (what all other settings files inherit from), I make sure to `from _secrets import *`. I'm not a fan of setting tokens by environment because it gets a little too unwieldy to make sure bash/zsh/whatever sets the variable.

I haven't run into any problems using that method. Does anyone see a reason to prefer environment variables over it?

[grosskur]

For me the main reason is consistency. I can write apps in Python, Ruby, node, etc. and configure them all the same way.

The envdir program (from daemontools) is useful for setting environment variables in a shell-agnostic way, e.g., run your app with:

  envdir ./env python app.py

See also

http://12factor.net/config

[ceol]

Another good point. Thanks for the link, too!

[ricardobeat]

When using Heroku and similar hosts, the only way to upload files is via git push, so you won't be able to get your _secrets.py file into the server.

[ceol]

Oh, that's a very good point. I assume Heroku allows you to set environment variables? I've never really used it before, so I didn't even think of that possibility.

[steveklabnik]

Yes, Heroku does, with 'heroku config'.