Environment variables and secrets are key-value pairs stored outside your application's source code that supply configuration and sensitive data at runtime. Managing them correctly keeps credentials secure, makes apps portable across environments, and follows the Twelve-Factor App methodology.
An environment variable is a named value stored in the operating system's process environment and accessible by any program running in that process. Common examples include DATABASE_URL, PORT, and NODE_ENV. They let you change application behavior—such as switching between development and production—without modifying or redeploying code. On Unix-like systems you set them with export KEY=value; on Windows with set KEY=value or via System Properties.
Secrets are a specialized category of environment variables that hold highly sensitive data such as API keys, database passwords, OAuth tokens, and TLS private keys. Unlike generic config values, secrets must never appear in logs, version control, or error messages. Tools like HashiCorp Vault, AWS Secrets Manager, and Doppler are purpose-built to store, rotate, and audit access to secrets at scale.
At process startup the OS exposes environment variables through a key-value map that languages surface via built-in APIs—process.env in Node.js, os.environ in Python, System.getenv in Java. Libraries like dotenv load a local .env file into this map during development, simulating what a cloud platform injects automatically in production. Container platforms such as Docker and Kubernetes inject variables through docker run --env flags or Kubernetes Secrets and ConfigMaps mounted into pods.
The golden rule is that secrets must never be committed to source control—add .env to .gitignore immediately and audit history with tools like git-secrets or truffleHog if you suspect a leak. In CI/CD pipelines, secrets are stored in the platform's encrypted secret store (GitHub Actions Secrets, GitLab CI Variables) and injected as environment variables only at job runtime. For production workloads, prefer a dedicated secrets manager that supports short-lived dynamic credentials and automatic rotation over long-lived static values.
Environment variables are strings only, so numeric or boolean values require explicit parsing in your code—a variable set to 'false' is still a truthy string in most languages. Child processes inherit their parent's environment, which can accidentally expose secrets to subprocesses or third-party libraries you did not intend to grant access. Always apply the principle of least privilege: each service should receive only the specific secrets it needs, not a shared super-credential. Rotate secrets regularly and revoke compromised ones immediately, treating rotation as an automated operational task rather than a manual exception.
© RM Full Stack & AI Engineer · All guides · Roadmaps · Open the app