Using environment variables to store secrets instead of writing them directly into your code is one of the quickest and easiest ways to add a layer of protection to your projects.
There are many ways to use them, but a properly utilized `.env` file is one of the best, and I'll explain why.
They're Project Scoped Environment variables are a part of every major operating system: Windows, MacOS, and all the flavors of *nix.
If you're looking for an environment variable named `API KEY`, that could be getting re-defined in each scope, and if you're not steeped in that OS, it's extra work to be sure you're not clobbering something someone set at a different scope that some other app or service needs.
Env` files are only consumed at runtime and only in the context of the app that's consuming them.
You can set your `.gitignore` file to have the Git system ignore your `.env` file.
If you do that from the inception of your repository, you won't commit secrets to the project's Git history.
Env` file that sets the variable names, but only includes dummy data or blanks.
Env`, and assign the real values to the proper variables in the ignored `.env` file.
They're Relocatable While most systems will default to looking for the `.env` file in the root of the app's primary directory, you can always have it a level or two higher.
If for example, a server configuration error or code bug leaves it possible to view all the files at the root of your web app as a directory, the `.env` will not be there for easy pickings.
You do not need to move them into the root directory of a project that uses them.
Env Demo in Node Let's say your working directory for the app you're building is `~/Documents/work/projects/games/tictactoe` and `tictactoe` is the root directory for the app you're building and your Git repository.
While we generally call the file type `.env`, you can call it `.toecreds` if you want to make it a distinct file that other processes would never even think to touch.
Create your `.toecreds` file in the `games` directory.
Toecreds file with information in the following format `VARIABLE NAME=VALUE`.
The environment variables you set in it will not be available from the terminal and the file lives a level above your repository and can't accidentally be swept up if you misconfigure `.gitignore`.
While the script is running in that shell session, the environment variables available to the shell still do not contain the secrets.
You can have dev, test, and prod credential sets, having your CI/CD tooling pull the correct keys for the deployment target from a secrets manager and write the `.toecreds` file to the same relative directory.
There You Have It The use of a `.env` file helps you keep your app's secrets from ever being committed to your version control and provides an additional layer of protection against your secrets being discovered by hackers or other prying eyes.
This Cyber News was published on feeds.dzone.com. Publication date: Wed, 17 Jan 2024 01:13:04 +0000