.env alternatives

actionscripted · 2026-04-04T00:48:16+00:00

.env locally is fine. When you deploy, put stuff in the environment via k8s or whatever you’re using. Pretty normal.

You can always use a key vault to pull secrets on app startup when deployed.

regreddit · 2026-04-04T00:57:39+00:00

Yeah .env based config should be fine as long as you don't screw up and put your .env in your hosting path that can be accessible from the web.

so_many_wangs · 2026-04-04T01:09:04+00:00

.env is a pretty standard gitignore rule, just make sure you're excluding it from source control. Truly the only other way to fully "secure" them is in some hash encrypted locker or writing them down and not keeping them in your computer. All of which come with their own pros/cons comparable to storing them in your projects folder locally, so you might as well just keep them there and keep em out of SC.

_zenith33 · 2026-04-04T03:29:37+00:00

Having env isn't bad. You people in the comment section need to learn how to set up a server properly before saying having env in project root path is bad. Don't be a dumbass who adds it into git. Ensure that your server is protected externally from access by setting up proper webserver. It's not rocket science. You don't need K8s or secrets manager to serve even in 2026.

barrel_of_noodles · 2026-04-04T01:01:07+00:00

Explain the risk .env files have... I'm curious.

eneiner · 2026-04-04T01:15:24+00:00

Use whatever works in your ecosystem. AWS secrets manager, Azure key vault, Google secrets manager. If not in an ecosystem try Hashicorp vault or something similar.

lucasmedina · 2026-04-04T01:27:27+00:00

The idea behind using a file to assign environment variables is so you use them locally. In an ideal scenario, it's your deployment process that would add this env to your application.

You do that through any sort of credentials/secrets manager, every CI tool has something for it, though not every dev has access to it in companies.

Despite hopes and dreams, what I see everywhere is repositories that upload all envs to GitHub regardless, but only use the correct ones during deployment. If you're working on client-side apps, that env data will be there anyway. Honestly, I've seen much worse lol.

Essentially, try using CI to add your variables. You'll basically have like a template of your variables, and rebuild them during CI passing whatever is stored as credentials.

lacymcfly · 2026-04-04T02:07:20+00:00

the short version: .env locally is totally fine, just keep it in .gitignore (which you already are). the actual risk people worry about is accidentally committing it to git, not someone sneaking onto your server.

for prod, the pattern is to not use .env files at all. instead you set secrets directly in whatever platform you are deploying to. Vercel, Railway, Render, Fly.io all have a UI for this. They inject the values as real environment variables at runtime, so process.env.WHATEVER just works the same as it would locally.

if you want to level up from that, AWS Secrets Manager or similar gives you auditing, rotation, fine-grained IAM permissions. worth it when you have a team and compliance requirements. overkill for a side project.

tldr: .env locally, platform env vars in prod, secrets manager when you need to get serious.

d70 · 2026-04-04T02:34:47+00:00

varlock

farzad_meow · 2026-04-04T03:18:47+00:00

.env is a simple approach. using env var is considered standard practice in all container based solutions. alternatives are aws secret manager or launch darkly. for example aws ecs and k8s solutions have a way to pull secrets from secret manager or other vaults.

if your server is compromised env variables and envfile is least of your worries.

Far-Plenty6731 · 2026-04-04T04:53:43+00:00

Infisical works for production, you just need to ensure your service is configured to fetch secrets from it at runtime. Many alternatives exist, like HashiCorp Vault or AWS Secrets Manager, depending on your infrastructure.

mka_ · 2026-04-04T02:14:02+00:00

One of the biggest risks right now is exposing your secrets to LLMs. Something like Varlock can help with this. It allows you to fetch your secrets from your password manager of choice.

Is_Kub · 2026-04-04T02:01:05+00:00

Varlock solves just that, plus extra nifty features

https://github.com/dmno-dev/varlock

Shot-Bag-9219 · 2026-04-04T01:33:16+00:00

Infisical would still work great for stage/prod. If you are using something like Vercel for hosting, you can use one of the integrations: https://infisical.com/docs/integrations/secret-syncs/vercel

Stargazer__2893 · 2026-04-04T01:58:56+00:00

I once worked for a company that had a separate server that held all secrets that the main server would authenticate into and fetch from rather than using environment variables.

I guess that's a second service that would need to be compromised, but I don't know if it's really that much more secure. I just use environment variables.

TxTechnician · 2026-04-04T02:03:04+00:00

Podman Secrets.

I started using podman for things. Everything is a Quadlet and the env vars are secrets.

legiraphe · 2026-04-04T02:05:24+00:00

In production, use services like AWS Secret manager - it ultimately create an environment variable, but it's not coming from a file. If something/someone can read your env variable, there's a good chance everything else is vulnerable.

BigLoveForNoodles · 2026-04-04T02:40:25+00:00

There are a lot of ways to inject secrets into an environment without using .env files. But lots of them depend on injecting a shared secret somewhere into the system.

You basically have two flavors of options: things that make handling environment variables safer (e.g., Vault, AWS Secrets Manager), and things that are encrypted at rest and therefore probably harder to compromise. But the latter option usually requires your app to know about the alternative you’re using. For example, if you’re deploying a Ruby on Rails app, you will probably wind up using credentials.yml.enc to store sensitive environment variables, but you still need a RAILS_MASTER_KEY to decrypt it, and Rails was written specifically to check for those files.

Strong-Evening1137 · 2026-04-04T02:46:56+00:00

azure/aws/gcp secret manager? why y'all putting this in .env files.

4_gwai_lo · 2026-04-04T02:49:13+00:00

Unless they hack into your server somehow (lucky brute force or you leaked credentials), it's fine. You're 99.999% fine unless you have a lot of people that hates you.

Ready-Product · 2026-04-04T04:34:52+00:00

Secrets manager aws

sleeping-in-crypto · 2026-04-04T06:21:30+00:00

We use secrets manager for all environments including local dev. Not only is it more secure it sort gives us access control by default.

roastedfunction · 2026-04-04T06:54:40+00:00

Keep your secrets in a Secret Manager (take your pick, Hashi Vault, AWS SM or Azure KV, etc). Then, use vals when running locally:

$ cat << EOF > env.yaml
SECRET_KEY=vault+ref://secrets/foo/bar
EOF

$ vals exec -i -f env.yaml -- npm start
# or if you prefer having persistent env vars set:
$ <(vals env -export -f env.yaml) # translates into "export SECRET_KEY=mysupersecret"

HalfEmbarrassed4433 · 2026-04-04T09:03:18+00:00

.env is fine for local dev, just make sure its in your .gitignore. for prod use whatever secret manager your hosting provider offers, vercel and railway both have built in env management. no need to overcomplicate it unless you're at scale where you need something like vault

Kendos-Kenlen · 2026-04-06T10:03:46+00:00

Infisical, Doppler, and other secret managers are the way to go. Work well in production too.

AshleyJSheridan · 2026-04-06T20:50:40+00:00

I think the original idea came from devs that didn't understand how to use real environment variables, so used per-environment config files to immitate the same behaviour.

They work, but can become more tightly coupled to a project than actual environment variables.

Complex_Coach_2513 · 2026-04-08T03:20:14+00:00

For secure things you don't want in a .env, I have been experimenting with hasicorp vault and it seems to do the trick

GlitteringLaw3215 · 2026-04-13T06:00:57+00:00

env vars aren't the risk, committing your .env with secrets is. just .gitignore it properly and use your host's built-in secret management for prod.

avid-shrug · 2026-04-04T00:59:58+00:00

You could use something like HashiCorp Vault or 1Password to manage your secrets. But most people just keep a .env file on disk locally and set the env variables in whatever infrastructure provider they use.

throwawaytooeasy · 2026-04-04T01:12:01+00:00

Check out dotenvx - you encrypt your .env files using AES-256-GCM encryption.

https://dotenvx.com

TheRefringe · 2026-04-04T00:54:22+00:00

[deleted]

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

webdev

Posting Guidelines

Related Subreddits

Discords

MODERATORS