The Risk of Hardcoded Secrets
If your SECRET_KEY or DATABASE_URL is hardcoded
in your source code and pushed to GitHub,
anyone can find it and compromise your entire system.
This is one of the most common security mistakes
junior developers make.
The Solution : .env Files
A .env file stores sensitive values locally.
It never gets pushed to GitHub.
DATABASE_URL=sqlite:///app.db
SECRET_KEY=gdgoc-bowen-secret-key-2026
ALGORITHM=HS256
TOKEN_EXPIRE_HOURS=24
Loading .env in FastAPI
from dotenv import load_dotenv
import os
load_dotenv()
DATABASE_URL = os.getenv("DATABASE_URL")
SECRET_KEY = os.getenv("SECRET_KEY")
ALGORITHM = os.getenv("ALGORITHM")
TOKEN_EXPIRE_HOURS = int(os.getenv("TOKEN_EXPIRE_HOURS"))
No hardcoded values anywhere in the code.
Everything comes from the environment.
.env.example : The Documentation
.env is never pushed to GitHub but other developers
need to know what variables are required.
That's what .env.example is for:
DATABASE_URL=your_database_url_here
SECRET_KEY=your_secret_key_here
ALGORITHM=HS256
TOKEN_EXPIRE_HOURS=24
This file IS pushed to GitHub.
It shows the required variables without exposing real values.
.gitignore :The Safety Net
Make sure .env is in your .gitignore:
.env
__pycache__/
*.pyc
*.db
venv/
If .envis in .gitignore, Git will never
accidentally push it to GitHub.
Postman Proof
Lessons Learned
Never hardcode secrets. Ever.
Use .env for local development, and proper
secret managers like AWS Secrets Manager or
environment variables in production.
Day 18 done. 12 more to go.
Top comments (0)