What is a .env.example file?

It is a template file checked into version control that lists all required environment variables for the project without revealing the actual production secrets.

Should I use process.env directly in my code?

No. It is better practice to centralize your configuration in one file (e.g., `config.js`), validate it there, and then export it. This makes your code cleaner and easier to mock during testing.

Is it safe to store database passwords in .env?

On your local machine, yes (if it's not checked into Git). In production, it's better to use your provider's environment variable dashboard or a dedicated secret manager.

Environment & Configuration Best Practices

One of the most common ways applications fail in production isn't because of a bug in the code, but because of a missing or incorrect configuration value. Managing environment variables, API keys, and database URLs securely and consistently across different environments (Dev, Staging, Prod) is a critical skill for any backend engineer. In this guide, we'll explore the gold standard for Node.js configuration.

1. The 12-Factor App: Configuration in the Environment

The 12-Factor App methodology (a set of best practices for building modern, scalable SaaS apps) states that configuration should be strictly separated from code. You should never "hardcode" sensitive values or environment-specific settings. Instead, store them in environment variables.

Why? Environment variables are easy to change between different deployments without changing any code, and they are inherently safer (if managed correctly) than having secrets in your version control.

2. Managing .env Files Properly

For local development, we use .env files. However, there are a few strict rules you must follow:

Never check .env into Git: Add it to your .gitignore immediately.
Create a .env.example: Check this into Git. It should contain all the keys your app needs but with dummy values (e.g., DB_URL=mongodb://localhost:27017/db). This acts as documentation for new developers.
Use Node.js 20+ Built-in Support: You no longer need the dotenv package for basic usage. Run your app with node --env-file=.env index.js.

3. Zero-Delay Failures: Validating Config at Startup

Don't wait until a user tries to log in to realize your JWT_SECRET is missing. Your application should validate its configuration the moment it starts and crash immediately if anything is missing or invalid. This is called "Failing Fast."

While you can write manual checks, libraries like Envalid or Zod make this elegant:

import { cleanEnv, str, port, url } from 'envalid';

const env = cleanEnv(process.env, {
    NODE_ENV: str({ choices: ['development', 'test', 'production'] }),
    PORT: port({ default: 3000 }),
    DATABASE_URL: url(),
    API_KEY: str(),
});

export default env;

4. Secure Secret Management in Production

In production environments (AWS, GCP, DigitalOcean), .env files are often replaced by more secure methods:

Platform Secrets: Use the built-in secret management tools of your hosting provider (e.g., GitHub Secrets, AWS Secrets Manager).
Vaults: For complex enterprise setups, use HashiCorp Vault or Infisical to manage secrets dynamically.

5. Hierarchical Configuration

Sometimes you need different "defaults" for different environments while still allowing overrides. A robust pattern is to have a config/ directory with a default.js and specific overrides like production.js or test.js.

The logic is simple: Environment Variables > Environment-Specific Config > Default Config.

Conclusion

Professional configuration management isn't just about hiding passwords; it's about building a system that is predictable, documented, and resilient. By validating your environment variables at startup and following the 12-Factor methodology, you ensure that your application "just works" wherever it's deployed. Remember: code is for logic, environment is for settings.