dotenv is a convention and library for loading environment variables from a .env file into a process, popularized by the Node.js dotenv package.
dotenv
dotenv is a convention and library for loading environment variables from a .env file into a process, popularized by the Node.js dotenv package.
Why It Matters
dotenv simplified local development but also created a common attack vector. The .env file is the single most frequently leaked secret container — GitGuardian flags .env files as the #1 source of exposed credentials in their annual reports.
How It Works
A .env file contains key-value pairs (e.g., `API_KEY=sk-abc123`). The dotenv library reads this file and injects the values into the process environment at startup. In production, the same variables are typically set through the deployment platform.
Best Practices
- Add .env to .gitignore in every project
- Use .env.example with placeholder values for documentation
- Never use .env files in production — use platform secrets management
- Different .env files for development, staging, production
Common Mistakes
- Forgetting to add .env to .gitignore
- Using real credentials in .env.example
- Sharing .env files via Slack or email
How ShieldKey Helps
ShieldKey replaces the need to put raw API keys in .env files. Store your Shield Token instead — if it's ever leaked, revoke it instantly without rotating the underlying API key.
Try ShieldKey FreeFAQ
Is dotenv safe for production?
No. dotenv is designed for local development. In production, use your platform's secrets management (AWS Secrets Manager, Railway variables, etc.) or a proxy like ShieldKey.