Tech Notes

Overview

This note covers how to manage environment variables safely. Hardcoding API keys and database connection details into your code risks exposing them by accident. By combining a .env file with a secrets management service, you can handle them safely.

• Category: Backend
• Related tags: env vars / security / operations
• Updated: 2026-06-03

Background

When I started out, I wrote connection details straight into the source code. Once the team grew and we began sharing the repository, this approach risked leaking sensitive information. There was also a need to switch values per environment, so I decided to clean things up.

Steps

1. Create a .env file at the project root
2. Add .env to .gitignore so it is never committed by accident
3. Write keys and values in KEY=value format
4. Load them in the app with a dedicated library
5. In production, use the server's environment variables or a secrets management service

Gotchas

• I had already committed .env. I removed it from history too and reissued the leaked keys
• Values failed to load only in production; the cause was forgetting to register them in the deploy settings
• Values with spaces or symbols sometimes failed to parse, which I fixed by wrapping them in quotes

Summary

Keep secrets separate from your code and out of the repository. Making this your very first rule prevents almost all incidents. Next, I want to look into a way for several people to share these values safely.

References

• The official documentation's configuration guide
• Our internal operations playbook