.env and the Consequences of Its Usage

Daily short news for you

A software that converts text to speech created by a Vietnamese programmer - J2TEAM - Text to Speech (Free). You can convert dozens of languages into dozens of different natural voices. The special thing is that it is free.

In preliminary evaluation, the conversion of long texts or texts in pure Vietnamese is very good. However, when it includes English words, it sounds a bit funny 😅

» Read more
How terrifying, Codeium - known as a competitor to Github Copilot, as it allows users to use it for free without limits. Recently, they introduced the Windsurf Editor - no longer just a VSCode Extension but a full Editor now - directly competing with Cursor. And the main point is that it... is completely free 🫣.

» Read more
There is a rather interesting study that I came across: "Users never bother to read things they don't want to." (That's a bold statement, but it's more true than not. 😅)

Don't believe it? I bet you've encountered situations where you've clicked on a button repeatedly and it doesn't respond, but in reality, it has displayed an error message somewhere. Or you've filled out everything and then when you hit the submit button, it doesn't go through. Frustrated, you scroll up or down to read and find out... oh, it turns out there's an extra step or two you need to take, right?

It’s not far from the blog here. I thought that anyone who cares about the blog would click on the "Allow notifications" button just below the post. But the truth is, no one bothers to click it. Is it because they don't want to receive notifications? Probably not! I think it's because they just didn’t read that line.

The evidence is that only when a notification pops up and takes up half the screen, or suddenly appears to grab attention, do they actually read it—and of course, it attracts a few more subscribers—something that was never achieved before.

» Read more

Issue

There's advice that any configuration that can change depending on the deployment environment should be turned into environment variables (OS Environment). Typically, we use a .env file to store these variables. The .env file is usually placed in .gitignore and is only created when deploying the application to the Internet environment or running it locally. A .env file may look like this:

DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=password
...

However, sometimes we need more flexibility with .env, where it can change based on an environment variable passed in. For example, it could change through the NODE_ENV variable. In that case, we have .env.local, .env.development, .env.production, and when running, you only need NODE_ENV=local node index.js, and .env.local will be automatically used.

Another solution besides using .env is to store configuration in any file format such as JavaScript, JSON, yml... using it is similar to .env, but it allows nested configurations for clearer configuration partitioning. However, both methods still create files to store environment variables.

Currently, I'm still using .env in some of my projects, and I can't deny its convenience. However, .env is not without its drawbacks.

Firstly, there's the issue of security. .env files are no different from unencrypted text files, so anyone can read them. People often copy or send .env files directly to each other through messaging apps, potentially exposing or intentionally leaking the content.

Secondly, .env files don't have access control, meaning anyone with permission can access them. This inadvertently reveals the content of all variables. For example, if a fellow developer requests permission to start a project locally pointing to the staging environment, we may have to send the entire .env content for the staging environment.

Since .env is considered sensitive, it's usually not committed to Git. This makes it difficult to track changes to variables in .env through this tool. Instead, we often add a file like .env.example to store the possible values in .env. However, this approach only provides insight into the structure of .env without managing its content. Adding a new variable and forgetting to update it in other environment files can lead to application errors.

It can be disastrous if we accidentally commit .env to the project or forget to exclude it in .dockerignore. This is a human error but is one of the issues that can cause security leaks if not detected early.

So, do we have a better solution?

Alternative to Traditional .env

With the existing advantages mentioned above, we naturally have many alternative solutions to efficiently manage environment variables. One such solution is Azure Secrets Manager or Vault. However, these tools seem more suitable for complex configurations and future scalability. If you need a simpler tool focused on managing security variables, Infisical is a much easier and time-saving solution.

Infisical is an open-source end-to-end encryption solution that can be used to synchronize environment variables within a team and infrastructure. By using Infisical, we can address most of the issues mentioned at the beginning of the article.

The source code of Infisical can be found at Infisical Github, and we can deploy our own server using various methods such as Docker, AWS, DigitalOcean, etc. Alternatively, Infisical provides a completely free Cloud service with some limitations. Interested readers can sign up at Infisical Signup.

Infisical

Infisical supports many Cloud services like AWS, Vercel, Netlify, or Frameworks/Libraries like React, Vue, SvelteKit, etc.

For example, in Node.js, after adding environment variables to Infisical, you can start a Node.js project by:

$ infisical init
$ infisical run -- npm start

At this point, environment variables will be passed into the Node application.

To see a full list of integrations and usage in other projects, readers can check Infisical Integrations.

Conclusion

.env is one of the ways to manage environment variables when deploying applications to different environments. However, the approach via .env is somewhat outdated and can lead to various issues. Infisical can be considered a simple and more efficient solution compared to Vault or Azure Secrets Manager.

Premium

5 profound lessons

Every product comes with stories. The success of others is an inspiration for many to follow. 5 lessons learned have changed me forever. How about you? Click now!

View all

Subscribe to receive new article notifications

or

* The summary newsletter is sent every 1-2 weeks, cancel anytime.

Hello, my name is Hoai - a developer who tells stories through writing ✍️ and creating products 🚀. With many years of programming experience, I have contributed to various products that bring value to users at my workplace as well as to myself. My hobbies include reading, writing, and researching... I created this blog with the mission of delivering quality articles to the readers of 2coffee.dev.Follow me through these channels LinkedIn, Facebook, Instagram, Telegram.

Did you find this article helpful?

NoYes

Comments (1)