DJE-004 Critical Security

Storing secrets in template context

Error message

Sensitive data exposed in rendered HTML

Passing API keys, database credentials, or other secrets through template context makes them visible in the rendered HTML source. In djust LiveViews, context is serialized and may be sent over WebSocket, further increasing exposure risk.

secrets security

Affected versions: >=0.2.0

Solution

Before (problematic)

class DashboardView(LiveView):
    def mount(self, request):
        self.api_key = settings.STRIPE_SECRET_KEY
        # This will be serialized and sent to client!

After (fixed)

import stripe

class DashboardView(LiveView):
    def mount(self, request):
        # Use the secret server-side only
        stripe.api_key = settings.STRIPE_SECRET_KEY
        self.subscription_status = stripe.Subscription.retrieve(
            self.subscription_id
        ).status

Back to Error Reference