⚙️Developer

Environment Variables: Managing Configuration Without Hard-Coding

Hard-coded API keys in your code are a security incident waiting to happen. Here's the right way to manage configuration across environments.

5 min readFebruary 18, 2026By FreeToolKit TeamFree to read

In 2024, GitHub reported removing 1.3 million leaked secrets from public repositories. API keys, database passwords, and private keys committed to git, sometimes minutes after being created. The solution is simple and should be set up on day one of every project.

The .env Setup

Create .env.example with all your variable names and placeholder values — this gets committed and shows other developers what's needed. Create .env.local with real values — this never gets committed. Add .env.local to .gitignore immediately. This workflow means new team members know what variables exist without seeing real secrets.

Naming Conventions

Use SCREAMING_SNAKE_CASE (all caps, underscores). Group related variables with prefixes: DATABASE_URL, DATABASE_MAX_CONNECTIONS for database settings. APP_SECRET, APP_PORT for application settings. In Next.js, prefix browser-exposed variables with NEXT_PUBLIC_ — anything without the prefix is server-only. This naming convention prevents accidentally exposing server secrets to client-side code.

Validating on Startup

Apps that silently fail because of missing environment variables are painful to debug. Add startup validation: check that required variables are set and throw a clear error if they're missing. In Node.js: throw new Error('MISSING ENV VAR: DATABASE_URL is required'). Fail loudly at startup rather than mysteriously at runtime when the variable is first used.

If You've Already Committed a Secret

Rotate the key immediately — don't wait. The credential is compromised the moment it's in git, even if you haven't pushed publicly. After rotating: remove it from the latest commit, rewrite history with git-filter-repo to remove it from all commits (more thorough than git filter-branch), and force push. Then audit whether the key was used by anyone else.

Pre-commit hook

Gitleaks (open-source) can run as a pre-commit hook to scan staged files for secrets before they're committed. Add it to your project's setup docs so every developer has the protection. A 50ms check on every commit is worth it.

Frequently Asked Questions

What are environment variables?+

Environment variables are key-value pairs set outside your application code — in the operating system environment, a .env file, or a deployment platform's settings. They let you configure your app differently in different environments (development, staging, production) without changing the code. Common uses: API keys, database connection strings, feature flags, and service URLs that differ between environments.

Why should I never commit API keys to git?+

Git repositories are frequently made public accidentally, shared with contractors, stored on multiple machines, and indexed by code search tools. Once a secret is in git history, it's permanently visible unless you rotate the key AND rewrite git history (a disruptive process). Scanning tools like Gitleaks and TruffleHog scan public repos for secrets — attackers run these continuously. A single committed API key can result in thousands of dollars in cloud bills within hours.

What's the difference between .env and .env.local?+

.env is typically committed to git and contains non-sensitive defaults or placeholder values. .env.local is your local override with real values and should always be in .gitignore. In Next.js specifically: .env is committed, .env.local is not, .env.production is committed with production-appropriate non-secrets, and actual secrets live in your deployment platform's environment settings (Vercel dashboard, etc.).

How do I manage environment variables in production?+

Through your deployment platform's secrets management, not .env files. Vercel, Railway, Heroku, AWS, and most platforms have environment variable management built in. Set secrets there, not in committed files. For complex setups, dedicated secrets managers (HashiCorp Vault, AWS Secrets Manager, Doppler) centralize secrets across services and provide audit logs, rotation, and access control.

🔧 Free Tools Used in This Guide

Base64 Encoder Hash Generator

FreeToolKit Team

We build free browser-based tools and write practical guides that skip the fluff.

Tags:

developersecurityconfigurationdevops

Continue Reading

🛡️

Two-Factor Authentication: Which Type Actually Protects You

7 min read

🐛

How to Debug Production Errors Without Losing Your Mind

6 min read