In my Django project I have an .env file which holds my DJANGO_SECRET_KEY environment variable:
export DJANGO_SECRET_KEY=dummysecretkey123
I added a reference to the .env file in my .gitignore file before I initialized the repo, so the SECRET_KEY should not be visible in any repo tracked by git
In my settings.py I set my SECRET_KEY as follows:
SECRET_KEY = env.str("DJANGO_SECRET_KEY")
For deployment on Heroku I added SECRET_KEY via Config Vars in the Heroku Dashboard - everything worked as expected.
Then out of curiosity, I changed the SECRET_KEY in Heroku to a wrong value to see its effect. To my surprise the app was still online and working. I restared all dynos, but nothing changed. Then I checked the Heroku server's environment variables via heroku run python manage.py shell > import os > print(os.environ) and could see the deliberately set wrong value for SECRET_KEY
What am I missing here? Isn't the purpose of the SECRET_KEY to protect my app, meaning that if it is not set properly, the app should not be working?
The purpose of SECRET_KEY in django is described in official documentation.
It states:
The secret key is used for:
sessions,
messages,
PasswordResetView tokens,
cryptographic signing.