Environment Variables Security: Secrets, Leaks & Best Practices
Why environment variables are not truly secure and what to do about it. Covers secret rotation, leak detection, client-side exposure risks, and when to use a dedicated secrets manager.
Last updated:
Frequently Asked Questions
Are environment variables secure?
Not inherently. Environment variables are visible in process listings (/proc/PID/environ on Linux), crash dumps, logs, and child processes. They are better than hardcoding secrets in source code but worse than a dedicated secrets manager.
What should I do if a secret is leaked?
Immediately rotate the compromised credential (generate a new key, revoke the old one). Audit access logs to determine if the secret was used maliciously. Update all deployments with the new credential. Investigate how the leak occurred and fix the root cause.
What is the NEXT_PUBLIC_ / REACT_APP_ / VITE_ exposure risk?
Variables with these prefixes are embedded into client-side JavaScript bundles at build time. They are visible to anyone inspecting your site. Never put API keys, database URLs, or any secret in a client-side exposed variable.
Stay up to date
Get notified about new guides, tools, and cheatsheets.
Related Cheatsheets
Cheatsheet
YAML Syntax Cheat Sheet — Scalars, Collections & Gotchas
Quick reference for YAML syntax: strings, numbers, multiline values, sequences, mappings, anchors, aliases, and common gotchas like the Norway problem.
Cheatsheet
Nginx Cheat Sheet — Server Blocks, Proxy & SSL
Quick reference for Nginx: service management, server blocks, reverse proxy, load balancing, SSL/TLS, location matching, logging, and performance tuning.
Cheatsheet
GitHub Actions Cheat Sheet
Quick reference for GitHub Actions CI/CD: workflow syntax, triggers, jobs, matrix strategies, secrets, caching, artifacts, reusable workflows, and essential actions.
Related Guides
How to Share .env Files With Your Team Securely
Never commit .env files to Git. Compare secure sharing methods: 1Password CLI, Doppler, AWS Secrets Manager, HashiCorp Vault, and encrypted git with SOPS.
GitHub Actions: Secrets vs Environment Variables
When to use repository secrets, environment secrets, and configuration variables in GitHub Actions. Includes workflow examples for Node.js, Python, and Docker.
Docker Environment Variables: Dockerfile ENV, ARG & Runtime
How to use environment variables in Docker: ENV vs ARG in Dockerfile, docker run -e, --env-file, multi-stage builds, BuildKit secrets, and best practices.