env.dev

Developer Guides

84 in-depth guides on environment variables, Docker, security, and more. Start with the featured picks below, or search and filter to find what you need.

Featured

The guides developers land on most — start here if you're new.

AI & Automation

MCP Server Environment Variables & Secrets

How MCP servers receive secrets through the env block, why stdio servers do not inherit your shell, and scoping tokens so prompt injection cannot drain them.

Environment Variables

Vite Environment Variables: import.meta.env & Modes

Vite exposes only VITE_-prefixed vars on import.meta.env, statically replaced at build time. Covers .env modes, loadEnv, define, and undefined-var gotchas.

Environment Variables

Windows Environment Variables: setx, set & PowerShell

set is session-only, setx persists but truncates at 1,024 chars, PowerShell has $env: and [Environment]. User vs system scope, PATH pitfalls, GUI editor.

Security & Auth

Google Maps API Key Gemini Abuse: Stop Surprise Bills

A leaked Google Maps API key can now call paid Gemini APIs and run up huge bills. Lock keys down with API restrictions and budgets — and recover after abuse.

Environment Variables

The .env File: A Complete Guide to Environment Variables

Everything about .env files: syntax rules, parser quirks, language examples (Node, Python, Go, Docker), best practices, and the gotchas that bite.

Environment Variables

Docker Compose Environment Variables: The Complete Guide

Use environment variables in Docker Compose: .env auto-load, env_file, --env-file, multi-environment patterns, substitution, and secrets.

Recently updated

Newest edits and ships — refreshed versions, new releases, and brand-new guides.

Securing Your Dev Environment for AI Coding Agents

Treat your AI coding agent as an untrusted intern: scope and expire API keys, lock down Docker egress, and assume prompt injection will exfiltrate secrets.

Build-Time vs Runtime Environment Variables

Build-time env vars are inlined into your bundle and frozen until you rebuild; runtime vars are read from process.env on each start. When to use each.

Bun Environment Variables: Bun.env & .env Auto-Load

Bun auto-loads .env, .env.{NODE_ENV}, and .env.local with no dotenv install. Bun.env vs process.env, $VAR expansion, --env-file, and build inlining gotchas.

Laravel Environment Variables: env(), config() & Caching

env() returns null after php artisan config:cache — the #1 Laravel env trap. env() vs config(), APP_KEY rotation, .env precedence, and deployment caching.

Django Environment Variables: settings.py Patterns

Configure Django with os.environ and django-environ: DEBUG, SECRET_KEY, and DATABASE_URL in settings.py, .env files in dev, real env vars in production.

GraphQL: Developer Guide to Queries, Schemas & APIs

Learn GraphQL from scratch: SDL schema design, queries, mutations, subscriptions, resolvers, the N+1 problem with DataLoader, pagination, and security.

Browse by category

Environment Variables(29)

Vite Environment Variables: import.meta.env & Modes

Vite exposes only VITE_-prefixed vars on import.meta.env, statically replaced at build time. Covers .env modes, loadEnv, define, and undefined-var gotchas.

Build-Time vs Runtime Environment Variables

Build-time env vars are inlined into your bundle and frozen until you rebuild; runtime vars are read from process.env on each start. When to use each.

Bun Environment Variables: Bun.env & .env Auto-Load

Bun auto-loads .env, .env.{NODE_ENV}, and .env.local with no dotenv install. Bun.env vs process.env, $VAR expansion, --env-file, and build inlining gotchas.

Laravel Environment Variables: env(), config() & Caching

env() returns null after php artisan config:cache — the #1 Laravel env trap. env() vs config(), APP_KEY rotation, .env precedence, and deployment caching.

Django Environment Variables: settings.py Patterns

Configure Django with os.environ and django-environ: DEBUG, SECRET_KEY, and DATABASE_URL in settings.py, .env files in dev, real env vars in production.

Windows Environment Variables: setx, set & PowerShell

set is session-only, setx persists but truncates at 1,024 chars, PowerShell has $env: and [Environment]. User vs system scope, PATH pitfalls, GUI editor.

Next.js Environment Variables: Complete Guide

How Next.js handles environment variables: .env file load order, NEXT_PUBLIC_ prefix, server vs client access, and common production errors.

Node.js Env Variables: process.env, dotenv & --env-file

How to use environment variables in Node.js: process.env, dotenv, the Node 20.6+ --env-file flag, NODE_ENV, type-safe validation with zod.

Fix 'NODE_NO_WARNINGS is not recognized' on Windows

On Windows, NODE_NO_WARNINGS=1 node app.js fails: cmd parses the inline env var as a command. Fix with set, PowerShell $env:, cross-env, or --disable-warning.

Gemini API Environment Variables: Keys & Vertex AI

GEMINI_API_KEY and GOOGLE_API_KEY both auto-load in the google-genai SDK; GOOGLE_API_KEY wins if both set. Vertex AI needs project + location, not a key.

Go Environment Variables: os.Getenv, godotenv & Viper

How to read, set, and manage environment variables in Go. Covers os.Getenv, os.LookupEnv, godotenv, Viper, envconfig, build-time variables, and testing.

Docker Env Variables: ENV, ARG & Runtime

How to use environment variables in Docker: ENV vs ARG in Dockerfile, docker run -e, --env-file, multi-stage builds, BuildKit secrets, and best practices.

Vercel Environment Variables: Dashboard, CLI & Edge

How to configure environment variables on Vercel: the dashboard, CLI (vercel env pull), system variables, per-env settings, and Edge function access.

.env File Syntax Rules: Quoting, Comments, Multiline

.env files have no formal spec, so quoting, inline comments, and multiline values parse differently in Node.js, Python, Ruby, Go, and Docker Compose.

Kubernetes Env Variables: ConfigMaps, Secrets & Pod Spec

How to configure environment variables in Kubernetes: inline env, ConfigMaps, Secrets, the downward API, and best practices for managing configuration at scale.

AWS Lambda Env Vars: Console, CLI, SAM & CDK

How to set and manage environment variables in AWS Lambda: the console, CLI, SAM, CDK, Terraform, KMS encryption, and Secrets Manager.

Python Env Variables: os.environ, dotenv & Pydantic

How to read, set, and manage environment variables in Python. Covers os.environ, python-dotenv, Pydantic Settings v2, and Django/Flask configuration patterns.

How to Share .env Files With Your Team Securely

Share .env files securely with send.env.dev — end-to-end encrypted, burn-on-first-read links, EU-hosted, zero dependencies. Plus 1Password, Doppler, Vault.

dotenv Not Loading? Step-by-Step Debugging Guide

Fix environment variables not loading from .env files. Covers Node.js, Python, Docker, file path issues, syntax errors, load order, and production gotchas.

Docker Compose Environment Variables: The Complete Guide

Use environment variables in Docker Compose: .env auto-load, env_file, --env-file, multi-environment patterns, substitution, and secrets.

The .env File: A Complete Guide to Environment Variables

Everything about .env files: syntax rules, parser quirks, language examples (Node, Python, Go, Docker), best practices, and the gotchas that bite.

Python Virtual Environments: venv, uv, Poetry & pyenv

Manage Python environments with venv, pip, pyenv, Poetry, and conda. Learn requirements.txt, pyproject.toml, and environment best practices.

Environment Variables in Rust: std::env, dotenvy & envy

Read env vars in Rust with std::env::var, load .env files via dotenvy, and deserialize typed config with envy. Plus the Rust 2024 unsafe-set_var change.

Environment Variables in Java: System.getenv & Spring Boot

Read env vars in Java with System.getenv() (immutable inside the JVM), bind to typed config via Spring Boot relaxed binding, plus dotenv-java for non-Spring.

Ruby Environment Variables: ENV, dotenv & Rails Credentials

Read env vars in Ruby with ENV.fetch, load .env files with the dotenv gem (the original dotenv port), and choose dotenv-rails or Rails encrypted credentials.

Environment Variables in PHP: getenv, $_ENV & phpdotenv

Three ways PHP reads env vars (getenv, $_ENV, $_SERVER). Plus vlucas/phpdotenv, Laravel's env() vs config(), and the FPM thread-safety gotcha.

C# / .NET Environment Variables & IConfiguration

In C# / .NET, prefer IConfiguration over Environment.GetEnvironmentVariable, and map nested keys with double underscores (ConnectionStrings__Default).

Environment Variable Best Practices (2026)

Manage env vars without leaking secrets: SCREAMING_SNAKE_CASE naming, .env in .gitignore from day one, startup validation, typed config objects, and rotation.

Env Vars in Docker, CI/CD & Kubernetes

Tactical env-var patterns: --mount=type=secret beats ARG, GitHub/GitLab/Jenkins idioms, ConfigMaps vs Secrets in Kubernetes, and build-time vs runtime split.

Constants(7)

Constants in JavaScript & TypeScript: const & as const

JS const blocks reassignment, not mutation. Real immutability needs Object.freeze (ES5) or TypeScript's as const assertion (TS 3.4, 2019) at zero runtime cost.

Constants in Python: typing.Final, Enum & SCREAMING_SNAKE

Python has no const keyword. Constants follow SCREAMING_SNAKE_CASE per PEP 8, typing.Final adds mypy enforcement, and enum or MappingProxyType lock closed sets.

Constants in Go: const, iota & Type-Safe Enumerations

Go const is compile-time only — no address, inlined at every use. Untyped constants adopt their use-site type; iota generates enum sequences and bitmasks.

Constants in Rust: const, static, const fn & LazyLock

Rust splits constants: const inlines at every use site; static has a fixed address. const fn runs at build time; LazyLock (1.80) gives thread-safe global state.

Constants in Java: static final, Enums & List.of

Java constants are static final fields. Compile-time inlining breaks consumers when library values change. List.of/Map.of/Set.of (Java 9+) are truly immutable.

Constants: Naming, Immutability & Magic Numbers

Rules for good constants: SCREAMING_SNAKE_CASE with unit suffixes, real immutability per language, one source of truth, no magic numbers. Per Effective Java.

Constants Tips: Tree Shaking, Branded Types & Test Fixtures

Compile-time vs runtime constants, bundler tree-shaking and dead-code elimination, constant folding, TypeScript branded types, and derived config.

DevOps & Infrastructure(15)

jq: Filter and Transform JSON From the Command Line

jq is the C-based JSON processor (1.8.1, 2025) that filters, reshapes, and pipes JSON inside shell scripts. Recipes for kubectl, GitHub API, and AWS CLI.

tmux: Sessions, Panes, .tmux.conf, and Neovim Integration

tmux is the BSD-licensed terminal multiplexer (3.6a, 2026) that survives SSH drops and reboots. Sessions, panes, .tmux.conf, scripting, and Neovim.

Docker on Windows 2026: Desktop, WSL2, Rancher, Podman

Docker on Windows runs four ways in 2026: Docker Desktop, Docker Engine in WSL2, Rancher Desktop, or Podman Desktop. Licensing, performance, and how to pick.

GitHub Actions: Secrets vs Environment Variables

When to use repository secrets, environment secrets, and configuration variables in GitHub Actions. Includes workflow examples for Node.js, Python, and Docker.

Terraform Variables: tfvars vs Env Vars vs Blocks

The three ways to set Terraform variables: variable blocks, .tfvars files, TF_VAR_ env vars, precedence, sensitive values, and validation.

OpenTofu in 2026: Open-Source Terraform Fork Explained

OpenTofu 1.11 is the Linux Foundation fork of Terraform 1.5 under MPL 2.0, with built-in state encryption, ephemeral values, and a drop-in tofu CLI.

Pulumi vs Terraform vs OpenTofu: Getting Started 2026

Pulumi 3.236 writes cloud infra in TypeScript, Python, Go, or C# under Apache 2.0. Compared with Terraform and OpenTofu, plus a first AWS S3 stack walkthrough.

GitHub Actions: The Complete CI/CD Guide for Developers

GitHub Actions CI/CD: workflow syntax, triggers, matrix builds, reusable workflows, composite actions, caching, secrets, and security hardening.

Git for Beginners: Visual Guide to Version Control

Learn Git from scratch: cloning, branching, committing, pushing, pull requests, and resolving conflicts, with VS Code and GitHub Desktop walkthroughs.

Dev Containers: Guide to Containerized Development

Dev Containers from devcontainer.json to Features, lifecycle scripts, Docker Compose, the CLI, performance tuning, security, and the gotchas.

Cron Expression Syntax: A Complete Guide

Cron expression syntax explained: 5- and 6-field formats, special characters (* , - / L W #), common schedules, and platform-specific differences.

Docker Networking: Bridge, Host, Overlay & Compose

Docker networking deep dive: bridge, host, overlay, macvlan drivers, port mapping, embedded DNS at 127.0.0.11, Compose isolated networks, and debugging.

Linux File Permissions: chmod, chown, umask & ACLs

Linux file permissions reference: chmod octal/symbolic, chown, umask, SUID/SGID/sticky bits, POSIX ACLs (setfacl/getfacl), and Linux capabilities.

Nginx Configuration: Server Blocks, Proxy & SSL

Production Nginx config: server blocks, reverse proxy, SSL/TLS termination with Let's Encrypt, upstream load balancing, proxy caching, and rate limiting.

Git Branching Strategies: GitFlow, Trunk-Based & GitHub Flow

Compare Git branching strategies: GitFlow, trunk-based development, GitHub Flow, and release branches. Choose the right workflow for your team.

Security & Auth(7)

Env Variables Security: Secrets, Leaks & Best Practices

Why environment variables are not truly secure and what to do about it: secret rotation, leak detection, client-side risk, and secrets managers.

Google Maps API Key Gemini Abuse: Stop Surprise Bills

A leaked Google Maps API key can now call paid Gemini APIs and run up huge bills. Lock keys down with API restrictions and budgets — and recover after abuse.

JWT Best Practices: Storage, Algorithms & Revocation

Security best practices for JSON Web Tokens: algorithm selection, storage, expiration, refresh patterns, revocation, and common vulnerabilities.

CORS: The Complete Guide to Cross-Origin Resource Sharing

CORS in depth: headers, preflight and credentialed requests, debugging, third-party scripts (Google Ads, Cloudflare, PostHog), and framework setup.

What is a JWT? A Developer Guide to JSON Web Tokens

Learn how JSON Web Tokens work — header, payload, and signature structure, typical auth use cases, common pitfalls, and best practices for secure usage.

SSH Keys: Complete Guide to Generation and Usage

Generate Ed25519 SSH keys, configure ssh-agent and ~/.ssh/config, set up tunnels and ProxyJump, and harden sshd_config for production servers.

HTTPS and TLS Explained: Certificates, Handshake & HSTS

Understand HTTPS, TLS certificates, the TLS handshake, cipher suites, Let's Encrypt, and HSTS for secure web communication.

Protocols & APIs(13)

OpenGraph Image Not Showing: 8 Causes and Fixes

Why your og:image is not rendering on Facebook, LinkedIn, Slack, or Discord — caching, absolute URLs, size limits, hotlink protection, and robots.txt blocks.

OpenGraph Image Sizes 2026: Per-Platform Cheat Sheet

Recommended OpenGraph image sizes per platform in 2026: universal safe size, aspect ratios, file size limits, and how each platform crops on mobile.

GraphQL: Developer Guide to Queries, Schemas & APIs

Learn GraphQL from scratch: SDL schema design, queries, mutations, subscriptions, resolvers, the N+1 problem with DataLoader, pagination, and security.

WebSockets: Guide to Real-Time Communication

WebSockets end to end: the RFC 6455 protocol, handshake, browser API, server code in Node.js, Python, and Go, reconnection, heartbeats, and scaling.

Server-Sent Events: SSE vs WebSockets Guide

Server-Sent Events (SSE): wire format, EventSource API, a Node.js TypeScript implementation, auto-reconnection, HTTP/2 multiplexing, and SSE vs WebSockets.

Unix Timestamps Explained

What Unix epoch time is, why it is used, how the Y2K38 problem threatens 32-bit systems, and how to generate and convert timestamps across languages.

Base64 Encoding Explained

Understand Base64 encoding end-to-end: how the algorithm maps bytes to 64 characters, when to use it, what padding means, and why it inflates size by 33%.

TypeScript Generics: A Complete Guide

Master TypeScript generics with practical examples — type parameters, constraints, utility types (Partial, Pick, Omit), mapped and conditional types.

REST API Best Practices: Design Guide

REST API design conventions used by Stripe, GitHub, and Google: URI naming, versioning, cursor pagination, error envelopes, status codes, auth, and HATEOAS.

DNS Explained: Record Types, Resolution & Common Issues

Understand DNS record types, resolution process, caching, TTL values, and how to debug common DNS misconfigurations.

Open Graph Protocol: Complete Social Sharing Guide (2026)

Open Graph meta tags in 2026: required fields, image sizes for Facebook/LinkedIn/X/Slack, Twitter Cards, dynamic OG images, debugging, and caching.

Regex Patterns Cookbook: Common Patterns with Explanations

A cookbook of common regex patterns for email, URL, IP address, phone number, and date validation with detailed explanations.

Rate Limiting: Token Bucket, Sliding Window & More

Implement rate limiting with token bucket, sliding window, fixed window, and Redis-based strategies. Code examples, edge patterns, and API gateways.

Databases(1)

PostgreSQL vs MongoDB: Why Postgres Wins

PostgreSQL vs MongoDB compared head-to-head: when to choose which, why Postgres wins for 95% of projects, JSONB vs documents, and free hosting tiers.

Editors(2)

Neovim Lua: Env Variables, vim.api & init.lua

Pass env vars to vim.fn.jobstart, learn the vim.* namespace (vim.fn, vim.api, vim.opt), and build a clean init.lua with autocommands and vim.uv async I/O.

Neovim: A Developer Guide to the Modern Vim

Master Neovim: modes, motions, text objects, registers, built-in LSP, Tree-sitter, Lua configuration, lazy.nvim plugins, and macros.

AI & Automation(10)

Local LLMs for Coding in 2026: Models, Hardware, Runtimes

Local LLMs for coding in 2026: Qwen2.5-Coder 32B at 73.7 Aider, Ollama vs llama.cpp vs LM Studio, and how to point Cursor or Continue at localhost.

Securing Your Dev Environment for AI Coding Agents

Treat your AI coding agent as an untrusted intern: scope and expire API keys, lock down Docker egress, and assume prompt injection will exfiltrate secrets.

How to Build an MCP Server: TypeScript & Python (2026)

Build a Model Context Protocol server in TypeScript or Python in 2026: SDK quickstart, transports (stdio vs Streamable HTTP), security, and client setup.

MCP Server Environment Variables & Secrets

How MCP servers receive secrets through the env block, why stdio servers do not inherit your shell, and scoping tokens so prompt injection cannot drain them.

AI Dark Factory Part 5: Security & Governance

Secure an AI dark factory with harness engineering: defense in depth, OS sandboxing, secrets, supply-chain lockdown, audit trails, and the OWASP Agentic Top 10.

AI Dark Factory Part 4: Scaling Agentic Coding

Scale your AI dark factory: git worktrees, Agent Teams, model routing, prompt caching, budget gates, observability, and agentic coding economics that work.

AI Dark Factory Part 3: Spec-Driven Development

Spec-driven agentic coding for an AI dark factory: write precise specs, run holdout scenarios as quality gates, build an eval pipeline, and auto-merge safely.

AI Dark Factory Part 2: Agent Setup & AGENTS.md

Set up your AI dark factory agent: install Claude Code, write a production-grade AGENTS.md, decompose agentic coding tasks, and build feedback loops that learn.

AI Dark Factory: Autonomous Coding Explained

AI dark factory: autonomous coding where agents write, test, and ship without human review. Coined by Dan Shapiro, Glowforge, January 2026.

AI Dark Factory Playbook: From Autocomplete to Autonomous

Six-level AI dark factory playbook from manual coding (Level 0) to fully autonomous code (Level 5). Concrete agentic-coding actions, real numbers, no hype.