Personal Brand :: Social Media :: Medium :: Story :: Best Practices for Safeguarding Secrets in Node.js Applications
⪼ Made with 💜 by Polyglot.
- Nodejs Secrets Management Best Practices (ChatGPT)
- Storing Sensitive Information Securely (ChatGPT)
- Using Environment Variables Securely (ChatGPT)
- Personal Brand :: Social Media :: LinkedIn :: Post :: Loading .env files in bash scripts
- Software Engineering :: Source Control :: VCS :: Git :: Managed Hosting Platform :: GitHub :: Gist :: API :: Scripting
- You might not need "dotenv" (ChatGPT)
- Software Engineering :: Programming :: Languages :: JavaScript :: Runtimes :: Node.js :: Environment Variables :: --env-file=.env
- Software Engineering :: Operating Systems :: Linux :: Command :: Shell :: Environment :: Variable :: Twelve-Factor App Config :: env.sh
- Software Engineering :: Source Control :: VCS :: Git :: Managed Hosting Platform :: GitHub :: Gist :: API :: Scripting
Node.js has had native support for loading
.envfiles sincev20.6.0
In production software, sensitive information like API keys, tokens, and database credentials are stored in secrets managers to keep them secure through least-privilege access controls, encryption, and auditing. This ensures that only authorized
servicesoruserscan access the sensitive data without hardcoding them directly into the source code.
This ensures that only authorized services or users can access the sensitive data without hardcoding them directly into the source code.
In local development environments, in order to mitigate the need to stand-up a secrets manager, common practice is to store sensitive and environment-specific information like API keys or database credentials in a .env file as key=value pairs.
Environment variables are useful for storing sensitive information, like API keys or database credentials, without hardcoding them directly into the source code.
What a .env file looks like:
API_KEY='*↳*↳*↳*'
DB_PASS='*@*@*@*'You can create the above .env file with the command below.
» echo -e "API_KEY='*↳*↳*↳*'\nDB_PASS='*@*@*@*'" > .env⚠︎ it overwrites an existing .env file in the current directory
Node.js has had native support for loading
.envfiles sincev20.6.0
» node --env-file=.env ...
Below is a demo Node.js application that prints the value of the variables specified in the .env file.
» pnpm initThe following command creates a .env file with two environment variables:
API_KEYandDB_PASS.
» echo -e "API_KEY='*↳*↳*↳*'\nDB_PASS='*@*@*@*'" > .envThe following command creates a server.js file.
server.js
» cat > server.js <<EOF
const apiKey = process.env.API_KEY
const dbPass = process.env.DB_PASS
console.log({ apiKey, dbPass })
EOF» node server
To prevent your sensitive environment variables from being accidentally pushed to version control, always add the
.envfile to your.gitignore
.gitignore
.envSometimes, it’s necessary to create a bash script that shares some of the same environment variables as the Node.js application. Below is how to handle loading the .env file when running a bash script:
» export $(grep -v '^#' .env | xargs) && curl -I --request GET \
--url 'https://api.github.com/gists?per_page=100&page=1' \
--header 'Accept: application/vnd.github+json' \
--header "Authorization: Bearer ${API_KEY}" \
--header 'X-GitHub-Api-Version: 2022-11-28'
With these practices in place, you can confidently build secure Node.js applications, keeping your secrets safe and your development streamlined.
Node.js has introduced native support for loading .env files since version 20.6.0, eliminating the need for third-party packages like dotenv.
In production, secrets managers should be used to ensure sensitive data like API keys and tokens are stored securely with proper access controls and encryption.
However, during local development, .env files are a common and effective method for managing environment-specific variables.
