
Environment Variables Management and Security: The Right Way to Use .env Files
Best practices for managing environment variables and .env files. Covers API key security, .gitignore configuration, secrets management, and avoiding common pitfalls.
Every week, security researchers find API keys, database passwords, and OAuth secrets in public GitHub repositories. The root cause is almost always the same: secrets committed in source code. Environment variables and proper .env management are the solution.
What Are Environment Variables?
Environment variables are key-value pairs stored in the operating environment, outside your codebase. Applications read them at runtime, allowing configuration to change without code changes.
What should go in environment variables:
- API keys and authentication tokens
- Database connection strings and passwords
- Third-party service credentials
- Environment flags (development/staging/production)
- Port numbers, hostnames, feature flags
Why hardcoding secrets is dangerous: Any secret committed to a Git repository is visible to everyone with repository access — and potentially forever (Git history doesn't forget). GitHub's automatic secret scanning detects many API key formats and alerts you, but the safest approach is never committing them.
Environment CheckerCheck your browser, OS, and environment details in one click.Using .env Files
Basic syntax:
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
# API Keys
OPENAI_API_KEY=sk-xxxxxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_live_xxxxxxxx
# App settings
NODE_ENV=development
PORT=3000
- Lines starting with
#are comments - Quote values containing spaces
- Uppercase with underscores is the naming convention
File naming conventions:
| File | Purpose |
|---|---|
.env | Base configuration (non-secret defaults) |
.env.local | Personal local overrides (never commit) |
.env.development | Development-specific settings |
.env.production | Production-specific settings |
.env.example | Template committed to Git (no real values) |
Required .gitignore entries:
.env
.env.local
.env.*.local
Commit .env.example with all variable names but no values — it tells teammates what to configure.
Security Best Practices
1. Principle of least privilege API keys should have only the permissions they need. A key used for read operations shouldn't have write access. Restrict keys to specific IP ranges when the service supports it.
2. Key rotation Treat long-lived API keys as a risk. Rotate credentials every 3–6 months. Use separate keys for production and development/testing environments.
3. Don't expose secrets to the client
In Next.js, any variable with the NEXT_PUBLIC_ prefix gets bundled into the JavaScript sent to browsers. Never add API keys or secrets to client-exposed variables.
4. Use managed secrets in production Production environments should use dedicated secrets management rather than .env files:
- AWS Secrets Manager / Parameter Store
- Google Cloud Secret Manager
- HashiCorp Vault
- Vercel Environment Variables (for Vercel deployments)
- Doppler, Infisical (developer-friendly options)
5. Never log environment variables
console.log(process.env) during debugging exposes everything to log aggregation systems. If you must log a key for debugging, mask it: show only the first 4 characters.
FAQ
Q: I accidentally committed an API key to GitHub. What now?
A: Revoke the key immediately — before doing anything else. Then rotate (generate a new key). After that, clean the Git history with git filter-repo (preferred) or BFG Repo Cleaner. Assume the key was already seen by automated scanners; revocation is the real fix.
Q: How do I share .env values with my team securely? A: Use a team password manager (1Password, Bitwarden, Doppler) or a secure note in your project management tool. Avoid plaintext sharing via Slack, email, or chat — these services retain message history and may be less secure.
Q: Do .env files work in Python, Ruby, or Docker?
A: Yes. python-dotenv for Python, dotenv-rails for Ruby, dotenv for Node.js. In Docker, use --env-file .env flag or env_file: in docker-compose.yml. In Kubernetes, use Secrets objects mounted as environment variables.
Summary
Three rules prevent most environment variable security issues:
- Add
.envto.gitignorebefore writing any secrets - Share configuration through
.env.exampleand secure channels - Use cloud secrets management in production
The checking tool helps identify which variables you've set and whether they're properly configured for your environment.


