MWAN MOBILE

×
mwan_logo
blog-banner

Stop Using .env Files in Node.js

Programming 14-Mar-2023

Injecting environment variables into your environment

Like many full stack developers, I began my foray into programming through online courses on Udemy where I learned to build and deploy applications on Heroku. Fast forward 5 years later, my tech-stack evolved to include tools like Next.js and Apollo GraphQL but many principles stayed the same — one such principle was how I handled environment variables with .env files in Node.js.

For context, if you’re unfamiliar with .env files, check out my primer here. They’re a simple but flawed way to store environment variables because of how easily it is to mishandle them. Here are a few common issues that I’ve seen arise in dev teams:

  1. Committing .env files to version control: Developers sometimes forget to git-ignore their files and accidentally end up exposing critical environment variables to bad actors who, by the way, now employ bots to scrape and detect leaked files — I’ve done this before and was graciously saved by GitGuardian that detects leaked files (check them out!).
  2. Sending sensitive data over email: Developers frequently send full .env files over unsecure channels even in medium-large companies. Left unchecked, sensitive credentials can be intercepted.
  3. Forgetting to update others about new keys: Developers frequently add new environment variables and forget to update others about the addition; this leads to unsynced files that are annoying to debug.

It’s clear that a better approach is needed to prevent environment variables from getting accidentally leaked, stop developers from having to send variables over email to keep files in sync, and save debugging hours on missing keys and configs.

It turns out that better solutions do exist in the form of secret managers that allow you to securely store and pull back environment variables into your local processes. That said, many of them like Vault can be cumbersome and frankly overkill to set up depending on the size of your projects.

Seeing this gap, we’ve made an open-source solution called Infisical. It’s an end-to-end encrypted platform that dev teams use to upload their environment variables, view and manage them, and enable their devs to easily pull and inject back values into their local processes. It comes built in with secret versioning, snapshots, and audit logs.

Infisical dashboard

Source: Medium

Programming
Build a Text-to-Speech component in React forword-icon
Programming
10 Essential React Best Practices for Clean and Efficient Code forword-icon
Application Development
Speed Up React Development With Refine forword-icon
Application Development
A Comprehensive Guide to Getting Started with Apache Kafka Using Docker forword-icon
Application Development
React.js Performance Optimization Techniques forword-icon
Programming
React Environment Variables: How To Use Them Securely forword-icon
SERVICES

Enterprise Software Development

Application Development

Digital Marketing & SEO

Digital Consultancy

Events Management & Production

TECHNOLOGIES

Cloud Computing

Internet of Things

Service Delivery Platform

Events Digital

Artificial Intelligence

INDUSTRIES

Government

Healthcare

Supply Chain

Real Estate and Retail

Financial Services

Telco

COMPANY

About

Careers

News

Blog

Copyrights © MWAN Mobile Privacy Policy | Terms and Conditions