Overview
This note covers how to manage environment variables safely. Hardcoding API keys and database connection details into your code risks exposing them by accident. By combining a .env file with a secrets management service, you can handle them safely.
- Category: Backend
- Related tags: env vars / security / operations
- Updated: 2026-06-03
Background
When I started out, I wrote connection details straight into the source code. Once the team grew and we began sharing the repository, this approach risked leaking sensitive information. There was also a need to switch values per environment, so I decided to clean things up.
Steps
- Create a
.envfile at the project root - Add
.envto.gitignoreso it is never committed by accident - Write keys and values in
KEY=valueformat - Load them in the app with a dedicated library
- In production, use the server's environment variables or a secrets management service
Gotchas
- I had already committed
.env. I removed it from history too and reissued the leaked keys - Values failed to load only in production; the cause was forgetting to register them in the deploy settings
- Values with spaces or symbols sometimes failed to parse, which I fixed by wrapping them in quotes
Summary
Keep secrets separate from your code and out of the repository. Making this your very first rule prevents almost all incidents. Next, I want to look into a way for several people to share these values safely.
References
- The official documentation's configuration guide
- Our internal operations playbook
0
0
0
0
Posts0
Followers0
LikesProperties
Page
English
Comments