Quick tools for school, health, and money decisions.

Read guidesBrowse tools
Utlixia
Tools guide8 min read

How to use .env files without leaking secrets

.env files are useful because they keep configuration outside source code, but they can also become risky when real secrets are committed, copied into public variables, or left undocumented. This guide explains how to create a practical .env workflow for local development, teams, Docker, frontend frameworks, and deployment.

Updated: May 10, 2026

Browse ToolsMore guides

At a glance

What this guide covers

  • Commit .env.example for documentation, but keep real .env files out of Git.
  • Treat NEXT_PUBLIC_ and VITE_ values as visible to users.
  • Validate required variables before deploying and rotate any leaked secret.

Quick summary

What to take away from this guide

  • Commit .env.example for documentation, but keep real .env files out of Git.
  • Treat NEXT_PUBLIC_ and VITE_ values as visible to users.
  • Validate required variables before deploying and rotate any leaked secret.

Open the calculator

.env File Generator

Generate .env, .env.example, and Docker env blocks for Node.js, Next.js, Vite, Docker, and backend apps with validation warnings.

Try the calculator

Guide overview

A practical reading layout with the main decision points up front.

Section 01

Start with the role of each file

Use .env for real local values and .env.example for documentation. The example file should list every required key with empty or placeholder values, while the real .env file stays private and out of version control.

.env file generator

Section 02

What belongs in a .env file

Environment files usually hold app URLs, ports, database connection strings, feature flags, service endpoints, API keys, and runtime modes. They work best when variable names are consistent, readable, and grouped by service or purpose.

  • APP_URL and API_BASE_URL for application endpoints.
  • DATABASE_URL for local database connection strings.
  • FEATURE_FLAGS or runtime options for development behavior.
  • SERVICE_API_KEY values only when they are private and ignored by Git.

Section 03

What should never be public

Do not expose private API keys, database passwords, signing secrets, payment credentials, or admin tokens in browser-side variables. Prefixes such as NEXT_PUBLIC_ and VITE_ are useful, but they also signal that the value can be bundled into frontend code.

Section 04

Keep .env.example useful

.env.example should be updated whenever a required variable changes. A stale example file slows onboarding and increases deployment mistakes because teammates cannot see which variables are required.

  • Keep the same key names as the real .env file.
  • Use empty values or safe placeholders.
  • Add short comments only where the value is not obvious.
  • Review it during pull requests that add new configuration.

Section 05

Local, staging, and production values

Local values are for development only. Staging and production values should usually live in the hosting platform, CI/CD system, container environment, or secret manager. Avoid copying a local .env file into production without checking each value.

Section 06

Docker and CI/CD workflows

Docker Compose can read environment variables from files or explicit environment blocks. CI/CD systems often inject secrets at build or deploy time. In both cases, keep the source of truth clear so developers know whether a value comes from .env, the shell, the deployment platform, or a secret manager.

Section 07

Validation before deployment

Before a release, compare required variables against the real deployment environment. Look for missing values, duplicate keys, wrong public prefixes, and variables that exist locally but not in staging or production.

Section 08

If a secret leaks

Rotate the secret instead of only deleting the file or commit. Once a key has appeared in a repo, log, screenshot, or ticket, assume it may have been copied. Replace it in every environment and check whether any related tokens should also change.

Related tools

Open the tools mentioned in this guide

Tools

.env File Generator

Generate .env, .env.example, and Docker env blocks for Node.js, Next.js, Vite, Docker, and backend apps with validation warnings.

Tools

JSON Formatter / Validator

Format, validate, pretty print, minify, sort, and debug JSON locally in your browser with syntax errors and developer-friendly examples.

Tools

Base64 Encoder / Decoder

Encode text to Base64, decode Base64 to plain text, and understand URL-safe Base64, UTF-8, data URIs, and local browser processing.

Tools

URL Encoder / Decoder

Encode or decode URLs in the browser with a clean utility workflow that handles query strings, fragments, and reserved characters.

Tools

Cron Expression Generator

Generate cron expressions, preview schedule meaning, and understand common cron syntax for Linux, servers, and DevOps automation.

More guides

Keep reading

Tools

How to create strong passwords and passphrases safely

Learn how to use a password generator safely, choose strong random passwords, create passphrases, avoid reuse, and store credentials.

Read guide

Tools

How to compress images for websites, email, and uploads

Learn how to compress images for websites, email, forms, and social media using quality settings, dimensions, WebP, JPG, and PNG.

Read guide

Common questions

Usually no. Commit .env.example for documentation, but keep real .env files with secrets out of version control.

.env.example documents required variables without real secret values, making setup and onboarding easier.

No. NEXT_PUBLIC_ variables can be exposed to browser-side code and should only contain public-safe values.

Rotate the key, remove it from active configuration, and update the project to use a safe secret workflow.