- Published on
Stop using .env files in Node.js
- Tony Dang
Like many full stack developers, I began my foray into programming through online courses on Udemy where I learned to build and deploy applications on Heroku. Fast forward 5 years later, my tech-stack evolved to include tools like Next.js and Apollo GraphQL but many principles stayed the same — one such principle was how I handled environment variables with .env files in Node.js.
For context, if you’re unfamiliar with .env files, check out my primer here. They’re a simple but flawed way to store environment variables because of how easily it is to mishandle them. Here are a few common issues that I’ve seen arise in dev teams:
- Committing .env files to version control: Developers sometimes forget to git-ignore their files and accidentally end up exposing critical environment variables to bad actors who, by the way, now employ bots to scrape and detect leaked files — I’ve done this before and was graciously saved by GitGuardian that detects leaked files (check them out!).
- Sending sensitive data over email: Developers frequently send full .env files over unsecure channels even in medium-large companies. Left unchecked, sensitive credentials can be intercepted.
- Forgetting to update others about new keys: Developers frequently add new environment variables and forget to update others about the addition; this leads to unsynced files that are annoying to debug.
It’s clear that a better approach is needed to prevent environment variables from getting accidentally leaked, stop developers from having to send variables over email to keep files in sync, and save debugging hours on missing keys and configs.
It turns out that better solutions do exist in the form of secret managers that allow you to securely store and pull back environment variables into your local processes. That said, many of them like Vault can be cumbersome and frankly overkill to set up depending on the size of your projects.
Seeing this gap, we’ve made an open-source solution called Infisical; you can check it out here. It’s an open-source, end-to-end encrypted platform that developers can use to sync environment variables across their team and infrastructure. It enables devs to easily pull and inject back values into their local processes with a 10 minute setup.