with DEBUG = True, database credentials (specifically the password) are displayed in clear text on Django’s technical 500 debug page.

[cesarbenjamindotnet]

When using dj-database-url in a Django project with DEBUG = True, database credentials (specifically the password) are displayed in clear text on Django’s technical 500 debug page.

Django’s debug page normally masks sensitive settings (e.g. passwords, secret keys) with ***********. This works as expected for many built-in settings, but database passwords parsed via dj-database-url are not masked and are fully visible in the error page.

This can lead to accidental credential exposure during development, debugging sessions, screen sharing, or error screenshots.

Steps to reproduce

1. Create a Django project with DEBUG = True
2. Install and configure dj-database-url
3. Configure the database using an environment variable, for example:

DATABASE_URL=postgres://user:supersecret@localhost:5432/mydb

4. In settings.py:

import dj_database_url

DATABASES = {
    "default": dj_database_url.config()
}

6. Trigger an unhandled exception so that Django’s technical 500 debug page is shown
7. Inspect the Settings section of the debug page

Observed behavior

In the debug page, under DATABASES, the database password is shown in clear text:

'DATABASES': {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'mydb',
        'USER': 'user',
        'PASSWORD': 'supersecret',
        'HOST': 'localhost',
        'PORT': '5432',
    }
}

Expected behavior

Sensitive credentials such as database passwords should be masked in the Django debug page (e.g. displayed as ***********), consistent with how Django handles other sensitive settings.

Why this matters

• Django developers reasonably expect secrets to be masked in the debug page
• dj-database-url is commonly used in local development, CI, and cloud-based environments
• The issue can lead to accidental leakage of credentials in logs, screenshots, or screen sharing sessions
• The behavior is surprising, as Django does mask other sensitive configuration values

Additional context

• This only affects Django’s debug error page
• Production behavior is not affected
• The issue appears to be related to how Django determines which settings are considered sensitive when rendering the debug page

[mattseymour]

So this is by design in side of Django, only certain fields are obfascated by default. See the Debug documentation for how this works.

TLDR, only the following fields will be obfascated:

As a security measure, Django will not include settings that might be sensitive, such as SECRET_KEY. Specifically, it will exclude any setting whose name includes any of the following:

'API'
'KEY'
'PASS'
'SECRET'
'SIGNATURE'
'TOKEN'

If you would like to hide these settings when in DEBUG mode then you could name your DATABASE_URL -> DATABASE_URL_{key,secret,token}. Having one of these words in the the environment variable will hide it.

In dj_database_url you can then use the following code.

DATABASE_URL = {
    "default": dj_database_url.config(env='DATABASE_URL_TOKEN')
}

[bahoo]

Also an option: extending SafeExceptionReporterFilter, which you can specify with DEFAULT_EXCEPTION_REPORTER_FILTER.

In the spirit of "batteries included," this could potentially be included in the package, or its docs.