[One Package Per Day] Keep Secrets Safe and Clean with dotenv

By JoeVu, at: June 28, 2025, 9:36 a.m.

Estimated Reading Time: __READING_TIME__ minutes

[One Package Per Day] Keep Secrets Safe and Clean with dotenv
[One Package Per Day] Keep Secrets Safe and Clean with dotenv

At Glinteco, we prioritize clean, maintainable, and secure code in all our projects. One simple yet essential package that consistently helps us achieve this is dotenv. It allows developers to manage environment variables in a safe and organized way. This article explains what dotenv is, how to use it, and why it is valuable for modern Node.js development.

 

What is dotenv

 

The dotenv package enables your application to load configuration values from a .env file into process.env. This approach keeps sensitive data and environment-specific configuration separate from the codebase.

 

Here is an example .env file:

 

DATABASE_URL=postgres://user:pass@localhost:5432/mydb
JWT_SECRET=supersecurekey
PORT=3000

 

To load these values into your application:

 

require('dotenv').config();

console.log(process.env.DATABASE_URL);

 

This method helps keep your code clean, your secrets protected, and your configuration flexible across different environments.

 

Installation

 

To install dotenv, run the following command:

 

npm install dotenv

 

After installation, create a .env file in the root directory of your project and define your configuration variables.

 

It is important to add .env to your .gitignore file to avoid pushing sensitive information to version control:

 

echo .env >> .gitignore

 

Practical Example

 

Consider an Express.js application. Instead of hardcoding your server port: const port = 3000;

 

You can write:

 

require('dotenv').config();
const port = process.env.PORT || 3000;

 

This allows you to change the port without modifying source code, simply update the .env file.

 

For multi-environment deployments, you can maintain different files such as .env.development, .env.staging, and .env.production.

 

Best Practices

 

Here are a few recommendations when working with dotenv:

 

  • Always ensure your .env files are excluded from version control.
     

  • Use default values in your application code to prevent undefined values:

 

const port = process.env.PORT || 8080;

 

  • Validate your environment variables using schema validation libraries such as joi or zod.
     

  • For referencing variables within other variables, consider using dotenv-expand.

 

Common Issues

 

Missing process .env values

 

This typically occurs when the config() method is not called early enough in your code. Ensure that require('dotenv').config() is executed at the beginning of your entry file.

 

.env file not found

 

Make sure the .env file exists in the root directory, or specify a custom path:

 

require('dotenv').config({ path: './config/.env' });

 

Advantages and Limitations

 

Advantages

 

  • Simplifies environment configuration management.
     

  • Eliminates the risk of hardcoding secrets into your codebase.
     

  • Enables flexibility across development, testing, and production environments.
     

  • Works well with any Node.js application.

 

Limitations

 

  • Not designed for managing complex configuration hierarchies.
     

  • Developers must be disciplined about file exclusions and validations to prevent accidental leaks.

 

Conclusion

 

dotenv is a small yet impactful utility that promotes better software architecture, especially in environments that demand clean separation between code and configuration. At Glinteco, we include it in nearly all Node.js projects to enhance security, maintainability, and scalability. If you have not adopted a .env strategy yet, now is the right time to start.

 

Further Reading

 

 

 

Tag list:
- dotenv best practices
- nodejs environment variables
- dotenv tutorial
- nodejs .env file
- secure config nodejs
- config management nodejs
- dotenv express
- dotenv production
- nodejs config management
- dotenv nodejs

Subscribe

Subscribe to our newsletter and never miss out lastest news.