Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edimez14/password_generator/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Password Generator application uses environment variables to manage configuration across different environments. This guide covers all required and optional environment variables for both frontend and backend.

Backend Environment Variables

Required Variables

These variables must be set for the Django backend to function properly:
SECRET_KEY
string
required
Django secret key for cryptographic signing. Generate a secure random string.
# Generate a secure secret key
python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
DEBUG
boolean
required
Enable or disable debug mode. Must be False in production.
DEBUG=False  # Production
DEBUG=True   # Development
DATABASE_URL
string
required
PostgreSQL database connection URL (production only).
DATABASE_URL=postgresql://username:password@host:port/database
In development with DEBUG=True, SQLite is used automatically and DATABASE_URL is not required.

Deployment Configuration

ALLOWED_HOSTS_DEPLOY
list
required
Comma-separated list of allowed hostnames for production.
ALLOWED_HOSTS_DEPLOY=yourdomain.com,www.yourdomain.com,api.yourdomain.com
ALLOWED_HOSTS_DEV
list
default:"localhost,127.0.0.1"
Comma-separated list of allowed hostnames for development.
ALLOWED_HOSTS_DEV=localhost,127.0.0.1,192.168.1.100

CORS Configuration

Cross-Origin Resource Sharing (CORS) settings allow the frontend to communicate with the backend API:
CORS_ALLOWED_ORIGINS_DEPLOY
list
required
Comma-separated list of allowed origins for production.
CORS_ALLOWED_ORIGINS_DEPLOY=https://yourdomain.com,https://www.yourdomain.com
CORS_ALLOWED_ORIGINS_DEV
list
Comma-separated list of allowed origins for development.
CORS_ALLOWED_ORIGINS_DEV=http://localhost:3000,http://127.0.0.1:3000
CSRF_TRUSTED_ORIGINS_DEPLOY
list
required
Comma-separated list of trusted origins for CSRF protection in production.
CSRF_TRUSTED_ORIGINS_DEPLOY=https://yourdomain.com,https://www.yourdomain.com
CSRF_TRUSTED_ORIGINS_DEV
list
Comma-separated list of trusted origins for CSRF protection in development.
CSRF_TRUSTED_ORIGINS_DEV=http://localhost:3000,http://127.0.0.1:3000

Database Configuration

The application uses different database configurations based on the DEBUG setting:

Development (DEBUG=True)

settings.py
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': BASE_DIR / 'db.sqlite3',
    }
}

Production (DEBUG=False)

settings.py
DATABASES = {
    'default': dj_database_url.config(
        default=env('DATABASE_URL'),
        conn_max_age=600,
        ssl_require=True
    )
}
The production configuration uses dj-database-url to parse the DATABASE_URL and enables SSL connections.

JWT Authentication Configuration

The application uses JWT tokens for authentication with the following settings:
settings.py
SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(days=1),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    'ROTATE_REFRESH_TOKENS': True,
    'BLACKLIST_AFTER_ROTATION': True,
}
ACCESS_TOKEN_LIFETIME
duration
default:"1 day"
How long access tokens remain valid.
REFRESH_TOKEN_LIFETIME
duration
default:"1 day"
How long refresh tokens remain valid.
ROTATE_REFRESH_TOKENS
boolean
default:"True"
Generate a new refresh token when refreshing.
BLACKLIST_AFTER_ROTATION
boolean
default:"True"
Blacklist old refresh tokens after rotation.

Fly.io Specific

FLY_APP_NAME
string
Automatically set by Fly.io. The app name is added to ALLOWED_HOSTS.
settings.py
FLY_APP_NAME = os.environ.get('FLY_APP_NAME')
if FLY_APP_NAME:
    ALLOWED_HOSTS.append(f'{FLY_APP_NAME}.fly.dev')

Frontend Environment Variables

API Configuration

NEXT_PUBLIC_API_URL
string
required
Backend API URL. Must be prefixed with NEXT_PUBLIC_ to be exposed to the browser.
.env.local
NEXT_PUBLIC_API_URL=https://password-generator-backend.fly.dev/api/
The current implementation in src/app/utils/Request.api.js uses a hardcoded URL. Update it to use this environment variable:
const api = axios.create({
  baseURL: process.env.NEXT_PUBLIC_API_URL || "http://localhost:8000/api/",
});

Environment File Examples

Backend .env (Development)

.env
# Django Configuration
SECRET_KEY=your-development-secret-key-here
DEBUG=True

# Development Hosts
ALLOWED_HOSTS_DEV=localhost,127.0.0.1

# CORS Configuration (Development)
CORS_ALLOWED_ORIGINS_DEV=http://localhost:3000,http://127.0.0.1:3000
CSRF_TRUSTED_ORIGINS_DEV=http://localhost:3000,http://127.0.0.1:3000

Backend .env (Production)

.env
# Django Configuration
SECRET_KEY=your-production-secret-key-change-this-to-a-random-string
DEBUG=False

# Database
DATABASE_URL=postgresql://username:password@host:5432/database

# Production Hosts
ALLOWED_HOSTS_DEPLOY=api.yourdomain.com,yourdomain.com

# CORS Configuration (Production)
CORS_ALLOWED_ORIGINS_DEPLOY=https://yourdomain.com,https://www.yourdomain.com
CSRF_TRUSTED_ORIGINS_DEPLOY=https://yourdomain.com,https://www.yourdomain.com

Frontend .env.local

.env.local
# API Configuration
NEXT_PUBLIC_API_URL=https://password-generator-backend.fly.dev/api/

# Or for local development
# NEXT_PUBLIC_API_URL=http://localhost:8000/api/

Django Settings Configuration

The application uses django-environ to read environment variables:
settings.py
import environ
import dj_database_url

env = environ.Env()
environ.Env.read_env()

BASE_DIR = Path(__file__).resolve().parent.parent

# Read environment variables
SECRET_KEY = env('SECRET_KEY')
DEBUG = env.bool('DEBUG', default=False)

# Environment-specific configuration
if not DEBUG:
    # Production settings
    ALLOWED_HOSTS = env.list('ALLOWED_HOSTS_DEPLOY', default=[])
    CORS_ALLOWED_ORIGINS = env.list('CORS_ALLOWED_ORIGINS_DEPLOY', default=[])
    CSRF_TRUSTED_ORIGINS = env.list('CSRF_TRUSTED_ORIGINS_DEPLOY', default=[])
    
    # PostgreSQL database
    DATABASES = {
        'default': dj_database_url.config(
            default=env('DATABASE_URL'),
            conn_max_age=600,
            ssl_require=True
        )
    }
else:
    # Development settings
    ALLOWED_HOSTS = env.list('ALLOWED_HOSTS_DEV', default=['localhost', '127.0.0.1'])
    CORS_ALLOWED_ORIGINS = env.list('CORS_ALLOWED_ORIGINS_DEV', default=[])
    CSRF_TRUSTED_ORIGINS = env.list('CSRF_TRUSTED_ORIGINS_DEV', default=[])
    
    # SQLite database
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.sqlite3',
            'NAME': BASE_DIR / 'db.sqlite3',
        }
    }

REST Framework Configuration

The Django REST Framework is configured with JWT authentication:
settings.py
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    "DEFAULT_SCHEMA_CLASS": "rest_framework.schemas.coreapi.AutoSchema",
}

Static Files Configuration (Production)

settings.py
if not DEBUG:
    STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
    STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'

Localization Settings

The application is configured for Colombian Spanish:
settings.py
LANGUAGE_CODE = 'es-co'
TIME_ZONE = 'America/Bogota'
USE_I18N = True
USE_TZ = True

Security Best Practices

1

Generate a strong SECRET_KEY

Use a cryptographically secure random string:
python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
2

Never commit .env files

Add to .gitignore:
.gitignore
.env
.env.local
.env.*.local
3

Use different keys per environment

Never reuse the same SECRET_KEY across development, staging, and production.
4

Restrict CORS origins

Only allow your frontend domain(s):
# Good
CORS_ALLOWED_ORIGINS_DEPLOY=https://yourdomain.com

# Bad - too permissive
CORS_ALLOW_ALL_ORIGINS=True
5

Enable database SSL in production

The configuration already includes ssl_require=True for PostgreSQL connections.

Environment Variable Checklist

Backend Production
  • SECRET_KEY is set to a strong random value
  • DEBUG=False
  • DATABASE_URL points to PostgreSQL
  • ALLOWED_HOSTS_DEPLOY includes your domain
  • CORS_ALLOWED_ORIGINS_DEPLOY includes your frontend domain
  • CSRF_TRUSTED_ORIGINS_DEPLOY includes your frontend domain
Backend Development
  • SECRET_KEY is set (can be simple for dev)
  • DEBUG=True
  • ALLOWED_HOSTS_DEV includes localhost
  • CORS_ALLOWED_ORIGINS_DEV includes localhost:3000
Frontend
  • NEXT_PUBLIC_API_URL points to backend API
  • Updated Request.api.js to use environment variable

Troubleshooting

”SECRET_KEY” KeyError

If you see this error, the SECRET_KEY environment variable is not set: 
# Verify environment variables are loaded
python manage.py shell
>>> import os
>>> os.environ.get('SECRET_KEY')

CORS Errors

If you see CORS errors in the browser console:
  1. Verify CORS_ALLOWED_ORIGINS_DEPLOY includes your frontend URL (with protocol)
  2. Ensure there are no trailing slashes
  3. Check the backend logs for CORS rejection messages

Database Connection Failed

If the database connection fails: 
# Test database URL format
echo $DATABASE_URL

# Should output:
# postgresql://username:password@host:port/database

Next Steps

Frontend Deployment

Deploy the Next.js frontend

Backend Deployment

Deploy the Django backend

Build docs developers (and LLMs) love

Get started for freeTalk to us