I have 2 Django sites deployed on Heroku and I noticed that AWSAccessKeyId and Signature is exposed on both site’s photo URL when I open the image on a new tab.

I don’t think this is normal since I know those keys should be kept on the environment.

This post is also available on DEV.