.env and the Consequences of Its Usage

Issue

There's advice that any configuration that can change depending on the deployment environment should be turned into environment variables (OS Environment). Typically, we use a .env file to store these variables. The .env file is usually placed in .gitignore and is only created when deploying the application to the Internet environment or running it locally. A .env file may look like this:

DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=password
...

However, sometimes we need more flexibility with .env, where it can change based on an environment variable passed in. For example, it could change through the NODE_ENV variable. In that case, we have .env.local, .env.development, .env.production, and when running, you only need NODE_ENV=local node index.js, and .env.local will be automatically used.

Another solution besides using .env is to store configuration in any file format such as JavaScript, JSON, yml... using it is similar to .env, but it allows nested configurations for clearer configuration partitioning. However, both methods still create files to store environment variables.

Currently, I'm still using .env in some of my projects, and I can't deny its convenience. However, .env is not without its drawbacks.

Firstly, there's the issue of security. .env files are no different from unencrypted text files, so anyone can read them. People often copy or send .env files directly to each other through messaging apps, potentially exposing or intentionally leaking the content.

Secondly, .env files don't have access control, meaning anyone with permission can access them. This inadvertently reveals the content of all variables. For example, if a fellow developer requests permission to start a project locally pointing to the staging environment, we may have to send the entire .env content for the staging environment.

Since .env is considered sensitive, it's usually not committed to Git. This makes it difficult to track changes to variables in .env through this tool. Instead, we often add a file like .env.example to store the possible values in .env. However, this approach only provides insight into the structure of .env without managing its content. Adding a new variable and forgetting to update it in other environment files can lead to application errors.

It can be disastrous if we accidentally commit .env to the project or forget to exclude it in .dockerignore. This is a human error but is one of the issues that can cause security leaks if not detected early.

So, do we have a better solution?

Alternative to Traditional .env

With the existing advantages mentioned above, we naturally have many alternative solutions to efficiently manage environment variables. One such solution is Azure Secrets Manager or Vault. However, these tools seem more suitable for complex configurations and future scalability. If you need a simpler tool focused on managing security variables, Infisical is a much easier and time-saving solution.

Infisical is an open-source end-to-end encryption solution that can be used to synchronize environment variables within a team and infrastructure. By using Infisical, we can address most of the issues mentioned at the beginning of the article.

The source code of Infisical can be found at Infisical Github, and we can deploy our own server using various methods such as Docker, AWS, DigitalOcean, etc. Alternatively, Infisical provides a completely free Cloud service with some limitations. Interested readers can sign up at Infisical Signup.

Infisical

Infisical supports many Cloud services like AWS, Vercel, Netlify, or Frameworks/Libraries like React, Vue, SvelteKit, etc.

For example, in Node.js, after adding environment variables to Infisical, you can start a Node.js project by:

$ infisical init
$ infisical run -- npm start

At this point, environment variables will be passed into the Node application.

To see a full list of integrations and usage in other projects, readers can check Infisical Integrations.

Conclusion

.env is one of the ways to manage environment variables when deploying applications to different environments. However, the approach via .env is somewhat outdated and can lead to various issues. Infisical can be considered a simple and more efficient solution compared to Vault or Azure Secrets Manager.