Environment Variables 101: Secure Your Secrets Like a Pro

So you are ready to use your secret credentials for your awesome project but have no idea how to hide them from the world? You’re in the perfect place! Let’s dive into the steps you should follow to add environment variables to your project using dotenv.

In this post, you will find solutions for Ruby on Rails and Javascript projects. Simply select the approach that best fits your tech stack.

Why use environment variables?

I am pretty sure you already know why environment variables are essential, but just to get it out of our way, let’s take a moment and dig a bit deeper. Why do we need to use environment variables? Is it because everyone else is using them? I am sure your gut feeling tells you that’s not the case. So, what’s the main reason?

Security is the key to all your environment variable questions

The first and most important answer to this question is Security. Imagine you have credentials for a database with sensitive user information, like financial data. Or perhaps you have an API key that you get charged for using, e.g an API for sending emails.

To use these sensitive credentials in your codebase, you’ll eventually need to hardcode them. The problem with hardcoding is that whoever accesses your code, even accidentally, could gain access to these credentials. This could lead to a major security breach, especially if they start using them for personal gain, leaving you with the charges!

How do we solve this? Dotenv to the rescue! 🦸‍♂️

What is dotenv?

Dotenv is a popular library that helps with managing variables in applications. It loads environment variables from an .env file to your development environment, making them accessible via the process.env for Javascript developers or through ENV for Rails developers.

In Javascript, the library’s name is dotenv and, in Rails, its name is dotenv-rails.

But what is an .env file? An .env file is a simple text file used to store environment variables for an application. It typically contains key:value pairs, like API_KEY=123456, and is used to keep sensitive information separate from the application code.

Using dotenv allows our code to pull specific values from a secure, designated location instead of hardcoding them into the codebase. These values are loaded by dotenv from the .env file.

Environment variables for Javascript

As mentioned above, we will be using the dotenv library for our Javascript project.

How to install dotenv?

The first thing we need to do is install the dotenv package by typing:

npm install dotenv

(In case you are wondering, we don’t need the--save flag to record dotenv in our package.json dependencies).

The next thing we need to do is create our .env file by doing:

touch .env

How to use dotenv?

Great, so we have our empty .env file and dotenv installed. Let’s combine all the necessary pieces and make this work.

In the .env file, add an API_KEY variable like this:

API_KEY="my super secret key here"

To load the dotenv library and make it populate all variables from our .env file, simply add the following line to your code:

require('dotenv').config();

// or ES6 if you have "type": "module" enabled in your package.json
import "dotenv/config";

Make sure to add this line at the very beginning of your code to load environment variables as early as possible.

By loading dotenv, all variables from our .env file are added to process.env (in JavaScript) or ENV (in Rails).

Environment variables for Rails

For our Rails project, we’ll be using dotenv-rails to manage environment variables. Here’s how to set it up and use it effectively:

How to install dotenv rails?

In your Gemfile add the following line

  gem 'dotenv-rails'

Remember, you need to activate this for your development and test environment, so if you have used the Rails generator, you will see the development/test group near the bottom of your Gemfile. That’s where you need to add your new dotenv-rails gem.

group :development, :test do  
  gem 'dotenv-rails' # add this line
end

Otherwise, you could also add the following code:

gem 'dotenv-rails', groups: [:development, :test]

You need to create an .env file now in which you’ll be adding all your environment variables. In your terminal, type:

touch .env

Let’s now proceed with installing the new gem that we added to our Gemfile:

bundle install

How to use dotenv rails?

Suppose we have the following env variable in our .env file

MY_VARIABLE="cool-password-here"

Depending on where you are, you might see the following ways to access your environment variable

value = ENV["MY_VARIABLE"]

or in a YAML file, e.g database.yml

<%= ENV.fetch("MY_VARIABLE") %>

Different .env files per environment

In some cases, you will need to use different .env files per environment.

Common setups are:

• A single.env file for all environments
• Separate .env files for each environment, such as .env.development, .env.test and .env.production.

This approach may make it easier for you to manage environment-specific settings and needs.

How to create an .env template file?

Regardless of the names you’ve included in your .env files, sharing them with your team can pose challenges since you won’t be including the .env file in your repository, for security reasons.

So, if you’re not sharing the .env file, how will your team – or anyone else working on the codebase – know which variable names to use?

The solution is to create an .env template file that lists all your variable keys but NOT their values. Once you’ve set up your .env file and are ready to create a template, run the following command in your terminal:

# where .env is an example of a file name, yours maybe different.

dotenv -t .env

By doing so you will see a newly generated env file which will have the same keys as in the .env, but only placeholders as their respective values.

So, suppose we have the following .env

MY_DB_PASSWORD="my db password"
MY_AUTH_PASSWORD="my auth password"

by executing the env template command, we’ll get the following .env.template file

MY_DB_PASSWORD=MY_DB_PASSWORD
MY_AUTH_PASSWORD=MY_AUTH_PASSWORD

The .env.template file can be shared with your team members with no fear. Afterward, you’ll just need to find a secure way to share the actual env values so they can replace the placeholders and use them instead.

Add .env files to .gitignore

So far, we’ve discussed creating and using an .env file, but how can we prevent it from being accidentally committed to version control?

To ignore our .env files, we need to add to our .gitignore file:

.env

This way, we are ignoring our .env file and not our .env-template (if we have generated one).

In case we have more than one .env files, e.g .env.production and .env.test and we want to ignore these but not the template file we will have to change our previous entry to:

.env*
!.env.template

Try testing this by running git status to ensure the .env file is indeed being ignored before committing your code. It’s always a good idea to double-check and validate your setup to avoid accidental commits.

Make sure to add your sensitive files to .gitignore to prevent them from being committed! This simple step protects your sensitive data from accidental exposure.

For more configuration settings, check the dotenv GitHub page.

Frequently Asked Questions 🤔

Should I use Vite’s dotenv or dotenv package?

Vite is using dotenv to load environment variables from specific files like e.g .env, .env.local. Because of this you don’t need to install dotenv separately, you just need to create these files in your project and use them.

I would suggest staying with Vite’s approach for simple projects. If you need more control and flexibility. then consider installing the dotenv package

Which command prints partial or full environment variables?

Let’s assume our variable’s key is API_KEY. To print its value, we have the following commands available:

For Javascript

In your codebase:

// To print all environment variables, use:

console.log(process.env);

// Or to print a specific variable:

console.log(process.env.API_KEY);

In your terminal:

Environment variables from your project’s .env file are not loaded as a part of your shell’s environment. Your shell’s session keeps track of its own set of variables. So, if you try to do something like printenv API_KEY it won’t work unless you have explicitly exported your app’s .env file’s variables in your shell’s session.

To be able to print your project’s variables while inside a shell, you need to load them first by doing:

source .env

The source command will load your .env file variables directly in your shell’s session. By doing that, you now can type

echo $API_KEY

and see the value of your variable. Remember, though, that this will be temporary and only for your current shell session. If you close your terminal and start another session, your variables will not be available unless you reload them.

For Rails

In your codebase:

// To print all environment variables, use:

puts ENV.inspect

// Or to print a specific variable:

puts ENV['API_KEY']

For terminal use, it’s the same as Javascript.

🌟 We hope you found our post helpful. Keep your secrets safe, and happy coding! 🌟