[One Package Per Day] Keep Secrets Safe and Clean with dotenv
By JoeVu, at: June 28, 2025, 9:36 a.m.
Estimated Reading Time: __READING_TIME__ minutes
![[One Package Per Day] Keep Secrets Safe and Clean with dotenv](/media/filer_public_thumbnails/filer_public/e8/e9/e8e9b936-813c-47e6-a2bc-8fc865a695fc/one_package_per_day_-_dotenv_nodejs.png__1500x900_crop_subsampling-2_upscale.png)
![[One Package Per Day] Keep Secrets Safe and Clean with dotenv](/media/filer_public_thumbnails/filer_public/e8/e9/e8e9b936-813c-47e6-a2bc-8fc865a695fc/one_package_per_day_-_dotenv_nodejs.png__400x240_crop_subsampling-2_upscale.png)
At Glinteco, we prioritize clean, maintainable, and secure code in all our projects. One simple yet essential package that consistently helps us achieve this is dotenv. It allows developers to manage environment variables in a safe and organized way. This article explains what dotenv is, how to use it, and why it is valuable for modern Node.js development.
What is dotenv
The dotenv package enables your application to load configuration values from a .env
file into process.env. This approach keeps sensitive data and environment-specific configuration separate from the codebase.
Here is an example .env
file:
DATABASE_URL=postgres://user:pass@localhost:5432/mydb
JWT_SECRET=supersecurekey
PORT=3000
To load these values into your application:
require('dotenv').config();
console.log(process.env.DATABASE_URL);
This method helps keep your code clean, your secrets protected, and your configuration flexible across different environments.
Installation
To install dotenv, run the following command:
npm install dotenv
After installation, create a .env file in the root directory of your project and define your configuration variables.
It is important to add .env to your .gitignore file to avoid pushing sensitive information to version control:
echo .env >> .gitignore
Practical Example
Consider an Express.js application. Instead of hardcoding your server port: const port = 3000;
You can write:
require('dotenv').config();
const port = process.env.PORT || 3000;
This allows you to change the port without modifying source code, simply update the .env
file.
For multi-environment deployments, you can maintain different files such as .env.development, .env.staging
, and .env.production.
Best Practices
Here are a few recommendations when working with dotenv:
-
Always ensure your .env files are excluded from version control.
-
Use default values in your application code to prevent undefined values:
const port = process.env.PORT || 8080;
-
Validate your environment variables using schema validation libraries such as joi or zod.
-
For referencing variables within other variables, consider using dotenv-expand.
Common Issues
Missing process .env
values
This typically occurs when the config()
method is not called early enough in your code. Ensure that require('dotenv').config()
is executed at the beginning of your entry file.
.env
file not found
Make sure the .env file exists in the root directory, or specify a custom path:
require('dotenv').config({ path: './config/.env' });
Advantages and Limitations
Advantages
-
Simplifies environment configuration management.
-
Eliminates the risk of hardcoding secrets into your codebase.
-
Enables flexibility across development, testing, and production environments.
-
Works well with any Node.js application.
Limitations
-
Not designed for managing complex configuration hierarchies.
-
Developers must be disciplined about file exclusions and validations to prevent accidental leaks.
Conclusion
dotenv is a small yet impactful utility that promotes better software architecture, especially in environments that demand clean separation between code and configuration. At Glinteco, we include it in nearly all Node.js projects to enhance security, maintainability, and scalability. If you have not adopted a .env
strategy yet, now is the right time to start.
Further Reading