DEV Community

Jarret Bryan
Jarret Bryan

Posted on

Byte-Sized: .env Keeping things Secure

I spent a little time recently looking into how to build a twitter bot with JavaScript; it's actually not super difficult - but it's definitely worth exploring the ethics, intent, potential and ramifications around - but I came across something that I hadn't been familiar with - .env files.

I have my bot projected situated on - and the project I remixed already had a .env file included. But I wasn't entirely familiar with the idea.

My Glitch Directory

Glitch is fantastic as a community and a project that I could fork a repository and receive a blank .env file - providing me with the template without betraying the previous repository owner's content and secrets.

But... what is a .env file? And why do I have on Glitch for a twitter bot?

So .env files are the solution to the problem of - how do I keep my APIkeys secure.
I need to talk to the TwitterAPI to make my Twitter bot. But the case for many APIs is just that I would need a secure key to talk to the API. And that key needs to stay secure - I can't just post that to a public repository on Github for the world to see. Anyone could grab it and use it.

Quick solution is the dotenv npm package - Glitch allows me to have the package on their site, but let's say I'm working locally in JS. Quick install:

npm install dotenv --save
Enter fullscreen mode Exit fullscreen mode

Now that I have the package, I require it as early as possible in my program:

Enter fullscreen mode Exit fullscreen mode

And now I can have my APIKey, set in an .env file -

echo "API_KEY=secure_API-key_here" >> .env

Enter fullscreen mode Exit fullscreen mode

And if open up that file, I can see my secure API key, and it doesn't have to be situated in the other files in my repository. I'm in business! dotenv is going to look for a .env file, and when I run my the required .js file for my application, dotenv will read the .env file and make its contents available to my process as an environment variable. I can access that variable with


And if I add my .env file to my .gitignore file, I don't have to commit my secrets for the world to see. Keeping my keys secure, and allowing my code to function.

Again, I first game across this in the context of by default keeps the .env file secure - so even if other users view your code, they don't have access to your secure keys. But your program still does!

Discussion (1)

mgrachev profile image
Grachev Mikhail

Another useful tool -Β
⚑️ It’s a lightning-fast linter for .env files πŸ”₯