๐ก๏ธ .env Checklist
DevSecOps
Essential best practices for managing environment variables and
.env
files in your projects.
0 / 10 completed
๐ Exclude .env from version control
Add
.env
to your
.gitignore
to prevent secrets from being committed to the repository.
๐ Keep a .env.example file
Create a
.env.example
with the required variables and dummy values to document the project for your team.
๐ Use UPPERCASE_SNAKE_CASE for variables
Example:
DATABASE_URL
,
API_KEY
. Avoid lowercase or hyphens to keep consistency.
๐งช Separate environments (dev, test, prod)
Use files like
.env.development
,
.env.test
, and
.env.production
if your framework supports it.
โ ๏ธ Validate critical variables at startup
Your app should throw a clear error if essential variables like
JWT_SECRET
or
DB_PASSWORD
are missing.
๐ซ Avoid unnecessary quotes
Unless the value contains spaces or special characters, write them without quotes (e.g.
NODE_ENV=production
).
๐๏ธ Don't hardcode secrets in source code
Never write API keys or passwords directly in the source code. Always use environment variables.
๐ Rotate secrets periodically
Change sensitive keys and passwords regularly, especially in production environments.
๐ Manage file permissions (Linux)
On servers, use
chmod 600 .env
to prevent other users from reading the file.
โ๏ธ Use Secret Managers in Production
Prefer tools like
HashiCorp Vault
,
AWS Secrets Manager
, or
Azure Key Vault
over physical files.