DevLoom | Learn Dev Skills Faster

## What are Environment Variables? Environment variables are configuration values stored outside your code. They let you change how your app behaves without changing the code itself - perfect for secrets, API keys, and settings that differ between development and production. Think of environment variables like switches on a machine. Same machine, different settings depending on where it is running. ## Why Environment Variables Exist Hard-coding values is dangerous and inflexible. If you commit secrets to GitHub, they become public. If you need different values for development versus production, you need separate code. Environment variables solve this by storing configuration outside your code. Secrets stay safe, and you can use different values per environment. ## How to Use Environment Variables Every programming language provides ways to access environment variables: **Node.js**: Access with process.env **Python**: Use os.getenv **Java**: Use System.getenv ## .env Files Manually setting variables is tedious. Use .env files to store variables locally. Load with libraries like dotenv for Node.js, python-dotenv for Python, or similar packages for other languages. **CRITICAL**: Add .env to .gitignore so secrets do not get committed! ## Different Environments Same code, different variables. Create separate .env files for development and production with different values for database URLs, API keys, and debug flags. Your app behaves differently based on which environment it runs in. ## What to Store in Environment Variables **Always**: - API keys and secrets - Database credentials - Third-party service tokens - Encryption keys - OAuth credentials **Often**: - Feature flags - Port numbers - Service URLs - Email configuration - Storage bucket names **Never**: - Large data structures (use config files) - Binary data - Frequently changing values ## Security Best Practices **Never Commit Secrets**: Add .env to .gitignore immediately **Use .env.example**: Commit a template showing what variables are needed without actual values **Rotate Secrets Regularly**: Change API keys and passwords periodically **Limit Access**: Only give production secrets to people who need them **Use Secret Management**: Services like AWS Secrets Manager, HashiCorp Vault for production ## Setting Environment Variables **Development**: Use .env files **Production**: - **Heroku**: Use heroku config commands - **Vercel**: Dashboard or CLI commands - **AWS**: Systems Manager Parameter Store - **Docker**: Pass with flags or docker-compose files - **Kubernetes**: ConfigMaps and Secrets ## Common Environment Variables **NODE_ENV**: development, production, test - tells app what mode it is in **PORT**: What port the server listens on **DATABASE_URL**: Connection string for database **LOG_LEVEL**: How verbose logging should be **API_BASE_URL**: Base URL for external APIs ## Debugging Environment Variables Print them to verify they are loaded properly. Always check if required variables are set. **Warning**: Never log actual secret values in production! ## Type Safety Environment variables are always strings. Convert them to appropriate types like numbers or booleans when needed. Provide sensible defaults for optional variables. ## Validation Validate required variables on startup. Fail fast if configuration is wrong to catch problems early. ## Tools and Libraries **dotenv**: Load .env files (most popular) **envalid**: Validate and document environment variables **env-cmd**: Run commands with specific .env files **cross-env**: Set environment variables cross-platform ## The Bottom Line Environment variables separate configuration from code. This makes your app more secure, flexible, and easier to deploy across different environments. Master environment variables early. Every professional application uses them. Set up your .env file, add it to .gitignore, and never hard-code secrets again.