Hi and thanks for this awesome lib!

When generating a 500 with DEBUG = True or when sending 500 by mail, Django generates a report with env variables.
If the variable name is settings.py contains "PASSWORD" or "SECURE", Django replaces the values with *********.

The variable BROKER_URL contains the password. (And maybe the same for Redis?)

It could be great to be able to define a variable SECURE_BROKER_URL so Django hides the password.

If needed, I could write a PR.

Hi @Amoki,

Thanks for reaching out. Hm… I see you point, however, we only chose BROKER_URL that's the setting CELERY uses.
Which is probably one of the most commonly used packages in the Django world.

The first scenario you describe is highly discouraged, you should never ever run DEBUG=True on a production application. The email part shouldn't really a problem, as crash reports are only sent to admins. I would assume that admins would have access to the credentials anyway.

Here's what I would advise you to do. It is very common to use URLs to encode secrets in Django, for email, caching, message queues and of course databases. To URL support has even been proposed as a new core feature in Django.
I would kindly ask you to reach out the Django security mailing list. I believe it's best if settings containing URL are also replaced.

Best,
Joe