Environment Variables Management and Security: The Right Way to Use .env Files
Dev

Environment Variables Management and Security: The Right Way to Use .env Files

Best practices for managing environment variables and .env files. Covers API key security, .gitignore configuration, secrets management, and avoiding common pitfalls.

Every week, security researchers find API keys, database passwords, and OAuth secrets in public GitHub repositories. The root cause is almost always the same: secrets committed in source code. Environment variables and proper .env management are the solution.

What Are Environment Variables?

Environment variables are key-value pairs stored in the operating environment, outside your codebase. Applications read them at runtime, allowing configuration to change without code changes.

What should go in environment variables:

  • API keys and authentication tokens
  • Database connection strings and passwords
  • Third-party service credentials
  • Environment flags (development/staging/production)
  • Port numbers, hostnames, feature flags

Why hardcoding secrets is dangerous: Any secret committed to a Git repository is visible to everyone with repository access — and potentially forever (Git history doesn't forget). GitHub's automatic secret scanning detects many API key formats and alerts you, but the safest approach is never committing them.

Environment CheckerCheck your browser, OS, and environment details in one click.

Using .env Files

Basic syntax:

# Database
DATABASE_URL=postgresql://user:password@localhost:5432/mydb

# API Keys
OPENAI_API_KEY=sk-xxxxxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_live_xxxxxxxx

# App settings
NODE_ENV=development
PORT=3000
  • Lines starting with # are comments
  • Quote values containing spaces
  • Uppercase with underscores is the naming convention

File naming conventions:

FilePurpose
.envBase configuration (non-secret defaults)
.env.localPersonal local overrides (never commit)
.env.developmentDevelopment-specific settings
.env.productionProduction-specific settings
.env.exampleTemplate committed to Git (no real values)

Required .gitignore entries:

.env
.env.local
.env.*.local

Commit .env.example with all variable names but no values — it tells teammates what to configure.

Environment CheckerCheck your browser, OS, and environment details in one click.

Security Best Practices

1. Principle of least privilege API keys should have only the permissions they need. A key used for read operations shouldn't have write access. Restrict keys to specific IP ranges when the service supports it.

2. Key rotation Treat long-lived API keys as a risk. Rotate credentials every 3–6 months. Use separate keys for production and development/testing environments.

3. Don't expose secrets to the client In Next.js, any variable with the NEXT_PUBLIC_ prefix gets bundled into the JavaScript sent to browsers. Never add API keys or secrets to client-exposed variables.

4. Use managed secrets in production Production environments should use dedicated secrets management rather than .env files:

  • AWS Secrets Manager / Parameter Store
  • Google Cloud Secret Manager
  • HashiCorp Vault
  • Vercel Environment Variables (for Vercel deployments)
  • Doppler, Infisical (developer-friendly options)

5. Never log environment variables console.log(process.env) during debugging exposes everything to log aggregation systems. If you must log a key for debugging, mask it: show only the first 4 characters.

FAQ

Q: I accidentally committed an API key to GitHub. What now? A: Revoke the key immediately — before doing anything else. Then rotate (generate a new key). After that, clean the Git history with git filter-repo (preferred) or BFG Repo Cleaner. Assume the key was already seen by automated scanners; revocation is the real fix.

Q: How do I share .env values with my team securely? A: Use a team password manager (1Password, Bitwarden, Doppler) or a secure note in your project management tool. Avoid plaintext sharing via Slack, email, or chat — these services retain message history and may be less secure.

Q: Do .env files work in Python, Ruby, or Docker? A: Yes. python-dotenv for Python, dotenv-rails for Ruby, dotenv for Node.js. In Docker, use --env-file .env flag or env_file: in docker-compose.yml. In Kubernetes, use Secrets objects mounted as environment variables.

Summary

Three rules prevent most environment variable security issues:

  1. Add .env to .gitignore before writing any secrets
  2. Share configuration through .env.example and secure channels
  3. Use cloud secrets management in production

The checking tool helps identify which variables you've set and whether they're properly configured for your environment.

Related Articles