[mod_python] Secure storage of sensitive variables, such as passwords

Jorey Bump list at joreybump.com
Wed Nov 24 14:55:17 EST 2004

Scott Sanders wrote:

> Maybe I am less paranoid, but I just store that info in the .htaccess 
> under PythonOption directives.   If the .htaccess file were to become 
> exploited, I have bigger problems :)

Well said. Although it puts the passwords and such back in the 
DocumentRoot, apache is typically configured to deny direct access to 
^.ht files, making it a nonissue (but this still doesn't prevent me from 
storing .htpasswd files outside the DocumentRoot -- yes, I *am* more 

The only thing I don't like about it is that it can make applications 
directory-dependent or force them to share a single config file (as 
opposed to importing settings from a specific module). On the other 
hand, it makes it *really* easy to develop a standalone mod_python 
application for distribution. All you'd need to do is untar the 
application directory in your DocumentRoot and edit .htaccess. It opens 
up a lot of possibilities... Thanks!

More information about the Mod_python mailing list