Automatically, the Django database host/user/password are saved within the project file in plain text.

I can not appear to think about an easy method right now, but this appears to become against guidelines for password storage. Granted, if the attacker can access the configurations file, then all is most likely lost. Even when the the file were encoded, the attacker would most likely possess the way to decrypt it at that time.

Is okay?

You're correct. However, you can increase security by:

  • Setting the permissions properly (this can rely on your setup). Ideally only python should have the ability to browse the file.

  • Storing the file from the www or htdocs root. If at this time an assailant still can access them, you're screwed anyways.

  • For additional security, you are able to secure the bond configurations using symmetric file encryption (eg: AES). Keep key elsewhere. So even when someone handled to gain access to the bond configurations, they'd still must find the important thing. The primary drawback is the fact that now you must to rewrite the bond method.

Yes, it's standard technique of any database interacting program. There really is not a "better way" to get it done.

You will find methods to assist in preventing invalid hosts from hooking up (ip tables, private ip addresses), however the actual connection particulars are nearly always plain text.

Storing the file outdoors from the web root can help some, but when the attacker can access the file system it will not matter.