Infrastructure

What is Environment Variables?

Configuration values stored outside your code that change between environments (development, staging, production). The standard way to manage secrets and settings.

In plain English

Like a recipe that says 'add salt to taste.' The recipe is the same, but each cook adjusts the seasoning. Environment variables let the same code run with different configurations — your local database during development, the production database when deployed.

Why they exist

You don't want your database password in your code (anyone with access to the code gets the password). You don't want to change code when switching between development and production. Environment variables solve both problems — secrets stay out of source code, and configuration changes without code changes.

How they work

In development, you create a .env.local file with your values. Your framework reads these into process.env. In production, you set them in your hosting platform's dashboard. The code uses process.env.DATABASE_URL everywhere — the value comes from whatever environment the code is running in.

Critical rules

Never commit .env files to Git. Add .env* to .gitignore. Use NEXT_PUBLIC_ or VITE_ prefix only for values safe to expose to browsers. Create a .env.example file listing required variables with placeholder values. Rotate secrets (change them periodically). If a secret is accidentally committed, consider it compromised and generate a new one.

Frequently asked questions

What happens if I accidentally commit my .env file?

The secrets are in your Git history even if you delete the file. Rotate all compromised credentials immediately — generate new API keys, change database passwords. If the repo is public, assume every secret has been seen. Use git filter-branch or BFG Repo-Cleaner to remove secrets from history.

How we can help

Deploy & Ship

From local development to production deployment.

Security Review

Deep security analysis of your application — from API endpoints to database access.

Check your app

Get a professional review of your app at a fixed price.

Security Scan

Black-box review of your public-facing app. No code access needed.

$19
  • OWASP Top 10 checks
  • SSL/TLS analysis
  • Security headers
  • Expert review within 24h
Get Started

Code Audit

In-depth review of your source code for security, quality, and best practices.

$19
  • Security vulnerabilities
  • Code quality review
  • Dependency audit
  • AI pattern analysis
Get Started
Best Value

Complete Bundle

Both scans in one package with cross-referenced findings.

$29$38
  • Everything in both products
  • Cross-referenced findings
  • Unified action plan
Get Started

100% credited toward any paid service. Start with an audit, then let us fix what we find.

Related guides

Environment Variables Explained for Non-Technical Founders

What environment variables are, why they matter, and how to set them up correctly.

How to Deploy a Next.js App to Vercel

The complete guide to deploying your Next.

Related terms

Secrets ManagementCI/CD (Continuous Integration / Continuous Deployment)

Worried about environment variables in your app?

Get a professional code audit ($19) or book a free call to discuss your concerns.

Tell Us About Your App