Every .env read in one place

A complete guide to .env files — what they are, how runtimes load them, why they matter, and how to use them safely across Node.js, Next.js, Django, and more.

Battle-tested rules for .env files: what to commit, what to rotate, how to structure secrets across dev, staging, and production, and the common mistakes that cause outages.

Step-by-step examples for loading .env files with dotenv in Node.js, Next.js (App Router), Python/Django, Rails, and Laravel. Includes load order and override rules.

The NEXT_PUBLIC_ prefix decides whether an env variable is shipped to the browser or kept on the server. Here's how it works, when to use it, and the traps.

Step-by-step: keep .env out of git from day one, and what to do when a secret leaks into your commit history. Includes rotation checklist.

The 12 most common .env file errors — missing values, duplicate keys, bad quotes, encoding issues, case sensitivity — with exact fixes for each.

How to add, use, and rotate secrets in GitHub Actions. Covers repo vs environment secrets, ${{ secrets.NAME }} syntax, masked logs, and OIDC as an alternative.

How to add, pull, and manage environment variables in Vercel. Covers preview vs production vs development, vercel env pull, and the Vercel CLI.

Everything you should check before pushing, sharing, or deploying a .env — from .gitignore entries to rotation policy. Printable 15-item checklist.

dotenv is the library that loads a file. process.env is the global Node provides. They work together — here's where each starts and ends, with examples.

What env vars actually are, how to set them across shells and frameworks, why they break production, and the 7 rules we follow after shipping too many broken deploys.

Stop putting API keys in source code. A concrete playbook for local dev, staging, and production — with the exact tools and trade-offs for each tier.

A practical comparison of the five common ways to share environment variables — from 1Password Secrets Automation to encrypted file transfer — with real trade-offs.

NODE_TLS_REJECT_UNAUTHORIZED, TZ, NEXT_TELEMETRY_DISABLED, and 7 more. The env vars developers forget to set that cause outages at the worst possible time.

From a one-line grep to full CI-time schema validation — every way to check a .env before it hits production, with code for Node.js, Python, and Go.

dotenv loads .env inside your app at runtime. direnv loads per-directory env into your shell. Comparison of use cases, trade-offs, and when you want both.

When does a plain .env stop being enough? Honest comparison of .env files against Doppler, Infisical, and Hashicorp Vault. Cost, setup, audit, rotation.

Both Next.js and Vite inline prefixed env vars at build time. Same idea, different names, slightly different semantics. What to use when, and the gotchas.

How .env files map to Kubernetes Secrets and ConfigMaps. When to split, when to combine, and how to avoid the classic base64-is-not-encryption trap.

An honest comparison of dotenv and config-based libraries (node-config, convict, zod-env). Trade-offs around validation, type safety, and schema enforcement.

When .env wins, when JSON wins, and why most teams end up with a hybrid. Comparison of parsing cost, type safety, ergonomics, and CI/CD friendliness.

Plain .env files vs Doppler secrets manager — honest comparison of cost, setup complexity, team workflows, audit logs, and rotation. Includes Doppler alternatives.

HashiCorp Vault is powerful but complex. Compare Doppler, Infisical, AWS Secrets Manager, and 1Password Secrets — so you can pick the right tool for your team size and budget.

Every Node.js service starts with a .env file. This generator produces one for Express, Fastify, or Koa — with a Postgres connection string, a securely generated JWT secret, and a log-level knob.

Next.js reads .env.local automatically — no import needed. This generator produces a complete file for the most common Next 15 stack: NextAuth for auth, Supabase for data, Stripe for payments.

Django projects traditionally used settings.py for config, but that pattern leaks secrets into git. This generator produces a .env compatible with python-dotenv or django-environ — with Postgres, Redis, Celery, and SMTP already structured.

Rails ships with encrypted credentials, but dotenv-rails is still the path of least resistance for local dev. This generator produces a .env with database, Redis, Sidekiq, and secret keys.

Vite uses VITE_ prefixes to decide which variables ship to the browser. This generator produces a React .env with the right prefixes and the most common third-party client keys (Supabase, PostHog, Sentry).

Modern Python services (FastAPI, Flask, litestar) all consume .env via python-dotenv or Pydantic's BaseSettings. This generator produces a .env with the idiomatic keys — SECRET_KEY, DATABASE_URL, REDIS_URL, ALLOWED_ORIGINS.

Go apps typically use godotenv (joho/godotenv) or envconfig (kelseyhightower/envconfig) to load .env. This generator produces a Go-idiomatic .env with PORT, DATABASE_URL, JWT_SECRET, and CORS origins.

docker-compose auto-loads a .env file from the same directory as the compose file. Variables can be referenced in compose.yml as ${VAR}. This generator produces a compose-idiomatic .env.

Kubernetes separates config into two primitives: ConfigMaps (non-sensitive) and Secrets (sensitive). This generator produces a .env you can feed directly into kubectl create secret generic --from-env-file or split into a ConfigMap.

Stripe ships three keys per environment — publishable, secret, and webhook signing. This generator produces a .env block with the right prefixes (sk_test_, pk_test_, whsec_) and comments so you don't accidentally mix test and live values.

Firebase has two halves: the public client config (safe in the browser) and the Admin SDK service account (server-only). This generator keeps them separated with the right NEXT_PUBLIC_ prefixes so you don't leak admin credentials.

Supabase gives you four things per project: URL, anon key, service-role key, and JWT secret. The first two are client-safe (protected by Row Level Security). The last two are server-only and bypass RLS entirely.

Most AI apps use OpenAI + at least one vector DB. This generator produces a .env covering OpenAI, Anthropic, and Pinecone — the default AI stack for 2026.

Laravel reads .env via vlucas/phpdotenv during bootstrap. This generator produces a Laravel 11 compatible file with APP_KEY, MySQL, Redis, queue, and mailer settings.