Environment Variable Management in Production

Why Environment Variables?

Environment variables separate configuration from code:

• Secrets (API keys, database passwords) never touch git
• Environment-specific values (URLs, ports) change without code changes
• Feature flags toggle behavior without deployment

The .env Pattern

Local Development

# .env (never committed)
DATABASE_URL=postgres://localhost:5432/myapp_dev
REDIS_URL=redis://localhost:6379
API_KEY=dev-key-not-real
STRIPE_SECRET_KEY=sk_test_...
LOG_LEVEL=debug

# .env.example (committed — template for developers)
DATABASE_URL=postgres://localhost:5432/myapp_dev
REDIS_URL=redis://localhost:6379
API_KEY=your-api-key-here
STRIPE_SECRET_KEY=sk_test_your-key
LOG_LEVEL=debug

Danger Never commit .env files. Add .env to .gitignore immediately. A leaked .env in git history requires rotating every secret it contained.

Loading in Different Languages

Node.js:

// npm install dotenv
require('dotenv').config();
const dbUrl = process.env.DATABASE_URL;

Python:

# pip install python-dotenv
from dotenv import load_dotenv
load_dotenv()
db_url = os.environ["DATABASE_URL"]

PHP:

// composer require vlucas/phpdotenv
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
$dbUrl = $_ENV['DATABASE_URL'];

Production Deployment

Option 1: System Environment (systemd)

# /etc/systemd/system/myapp.service
[Service]
EnvironmentFile=/etc/myapp/env

Option 2: Docker / Docker Compose

services:
  app:
    env_file: .env.production
    environment:
      - NODE_ENV=production

Option 3: Cloud Secrets Manager

• AWS Secrets Manager / Parameter Store
• Google Cloud Secret Manager
• HashiCorp Vault

Validation

Always validate required env vars at startup:

const required = ['DATABASE_URL', 'REDIS_URL', 'API_KEY', 'JWT_SECRET'];
for (const key of required) {
    if (!process.env[key]) {
        console.error(`Missing required environment variable: ${key}`);
        process.exit(1);
    }
}

Security Checklist