In modern software development, hardcoding configuration details—such as API keys, database credentials, or API URLs—directly into your source code is considered a major security risk and a best practice violation.
Use .env files for local development and CI testing. For production, migrate to platform-native environment variables or a secrets management service.
In the Node.js ecosystem, the standard package for managing environment variables is dotenv . To support multiple .env- files, developers often use an extension package called dotenv-flow or configure dotenv manually based on the NODE_ENV variable. javascript
On Linux/macOS servers, set chmod 600 .env-production so only the application user can read the file. In the Node
Report compiled on April 18, 2026.
settings = Settings()
API_KEY=sk_live_abc123...
.env*
# .gitignore .env-production .env-staging .env-local .env-*.local
Or, use naming without the dot prefix:
file is the industry-standard way to keep your configuration private and separate from your codebase. What is a .env file?
# Check if your ignore rule covers the dash cat .gitignore | grep "\.env"
const env = process.argv[2] || 'development'; const envFile = path.join(__dirname, .env-$env ); Report compiled on April 18, 2026
The terminal didn't return an error. It returned a single line of dialogue: "Show, don't tell, Elias. Look behind you."