An environment variable is a variable whose value is set outside the code or the application. This variable contains matters that will affect the functions of the program. The environment variable can be used everywhere, from a Single Page Application to your CLI or shell.
These variables also configure the application for different environments such as development, testing, staging and production.
Why do we need an environment variable?
The most common use of environment variables is to set up different configuration options for different programming environments. Environment variables are also widely used to store API keys and Auth Token or application configurations or something you want to keep away from the public.
This will help you make your code predictable by keeping the configuration outside the main codebase.
Environment variable best practices
When we are talking about handling data, we usually keep extra precautions. Here is a list of best practices you should follow while working with environment variables.
Use dotenv/.env
file to manage environment variables
While working with APIs or third-party service providers, you must have seen developers storing the auth-token or the API key in a .env
file.
The .env
file is a value or variable that will help you configure a value in your codebase from outside the application. You can consider this a vault for all your secret or “shhh” keys.
We usually do not expose the data inside the .env
file to the public for security reasons.
Let us understand this with an example; consider yourself making a discord bot; you must store the auth token somewhere not accessible to the public. In that case, the easiest way to do so is to keep it in an environment variable.
Look at this code snippet:
bot_secret_token = "ODI3NzczNzY0NTk4NDk3MzIx.YGf6ZA.0_BG9GFQto4aNwg1idPkHHVMwGY"
Instead of doing this, we can do something secure and away from the public. So we will store the auth token in a .env
file and then call it in the main code.
Here is how we do add the token in an env file.
DISCORD_BOT_SECRET= “ODI3NzczNzY0NTk4NDk3MzIx.YGf6ZA.0_BG9GFQto4aNwg1idPkHHVMwGY”
Now let us call the token in the main code base,
bot_secret_token = process.env.DISCORD_BOT_SECRET
It is as simple as storing all your passwords over the cloud and calling the unique key to access the password every time.
Do not push the .env
file to your Git Repo
This is the most common mistake; folks usually push the environment variables to their GitHub, exposing the key to the world. Some folks hunt these mistakenly pushed environment variables on Github/Gitlab and use them illegally to access your data.
This issue can be avoided by adding the .env
file to your existing .gitignore
file or creating a new one at the root of your repository and adding the .env filename as a new line. Following is the code snippet as an example:
# Inside .gitignore
.env
If in case the .env
file still shows up in your git repo, it can be removed using the below command in your CLI:
git rm -r --cached .env
Use encryption and decryption on environment variables
You might use the .env
file, which sits inside a server, to store important passwords and keys to databases and APIs. Keeping it in text inside a .env
is risky as it may get exposed if the server is compromised. To avoid this issue, one should use Encryption and Decryption. There are a couple of tools and libraries which offer similar functionality. You can try any of those, but we recommend using CryptoJS or Forge.
Here is how you can encrypt your password using CryptoJS
var CryptoJS = require("crypto-js");
var data = "password";
var encrypted = CryptoJS.AES.encrypt(data, "my-secret");
console.log(encrypted.toString());
After you have encrypted the string, copy and paste it to the .env
file.
It can be easily decrypted using the below code snippet:
var decrypted = CryptoJS.AES.decrypt(process.env.PASS, "my-secret");
var object = decrypted.toString(CryptoJS.enc.Utf8);
It can be decrypted if the secret key matches like JWT.
Suppose you are still unsure about the security. In that case, Some services like Azure have special services like Azure Key Vault, where the keys are encrypted and can be injected into the project via a CI/CD or a dev-ops build or directly into VPS or app service.
Use the same variable for the different application environments
It is ultimately an optional practice to do so, but we recommend using the same name for the environment variable, even for different application environments.
For example, if you have My_Sec_token = “Xyz”
, it should be the same for the development, testing, staging and production, Although the values may differ in each case. The reason is - Your code will probably run over different machines for different stages. This will simplify your code and make it easy to use.
Wrapping up
In this blog post, we understood what environment variables are, why they are helpful, and the best practices to keep in mind while using them.
Here are some additional tips you should follow for better use of environment variable:
- Do not share your environment variables
- Do not keep the variables inside your code
- Use a secure vault for encryption and decryption of your secret information
- Do not commit your environment variables to version controls like git.
Top comments (1)
Thank you for this article.
To add to your article, If your are using docker you need to use
Docker Secrets
and If you are using a.env
file on Linux.Control permissions: Make sure that the .env file has strict permissions so that no unauthorized user can access it. like
Run containers with limited privileges: Make sure that your containers are not running as root inside the container, but as a regular user. This can be done by specifying the user inside the container.
Separate sensitive data from global environment variables: Use environment variables in .env for non-sensitive global things like WEBSITE_NAME and WEBSITE_LINK, while managing data like passwords via Docker Secrets or secrets management systems like Vault.