John Behan - Software Engineer

John Behan

Software Engineer

Keeping secrets

Some values in your application are unique to where your app is being run. For example you may be testing your app against a local server when you are developing it on your computer. But when you publish your app you will want it to use a publicly available server on the Internet.

Another issue you face is maintaining values in your app that you don't want to share publicly. Things like an API Key or a database password are examples of these. You can have them in your code when working on your computer. But when you push your code to a repository, or share it with a colleague, you don't want to send these secret values.

Managing these values can be painful. It is very easy to forget to change them before publishing or pushing your code.

  • If you forget to change a value that points to a local server your app will break. Worse - it may break for everyone but you as you are still running the local service your app needs 🤦🏼‍♀️
  • Forget to remove secrets and you risk publishing sensitive information. At best this will mean a cleanup job for your Git repository and a quick change of those secrets. At worst…. well that's a subject for another day.

There is a simple solution for these probelms.

Environment Variables

Let's break this down a little. The environment can be:

  • The computer you are using when writing your application.

  • For a backend service it could be the server that you deploy your application to.

  • A frontend application may need to go through a build step. The environment in this case is the system where you perform the build step.

You are already familiar with variables. They are a way to refer to a value stored in memory. Environment Variables are the same.


The example application is a Node service which is connected to a database. It is deployed to Heroku. Heroku is one of the easiest ways to deploy a node application. Setting Environment Variables there is straightforward. But you could use any platform - Environment Variables will be available there too.

This app has both problems I outlined at the start:

  1. You may want to use a local database during development. But your app uses a different database for production. So you need to change the database connection string when deploying.
  2. The connection string is a secret that you do not want to share. You do not want this information leaking to the Internet. Doing so would compromise the integrity of your application and the security of your data.

You can solve these problems by using Environment Variables. The best way to do this on your local machine is to use the dotenv package.

  1. Install dotenv: npm i dotenv

  2. At the top of the main file of your application (index.js for example) add: require('dotenv').config()

  3. Create a .env file in the root directory of your application

  4. Add the variables the app needs into this new file. For example: DATABASE_CONNECTION_STRING=mongodb://localhost:27017

  5. Add .env to your app's .gitignore file.

Now replace any instance of the database connection string with process.env.DATABASE_CONNECTION_STRING

Adding .env to your app's .gitignore file solves the second problem - exposing sensitive information. Now when you push your code to the repository the database connection string is not included.

You still need to address how to use Environment Variables when your app is deployed. The production database will have a different URL. For example its connection string could be mongodb://

In Heroku you can add this information with Heroku's Config Vars. Remember to use the same variable name - DATABASE_CONNECTION_STRING

That's it! When your app is deployed to Heroku it will connect to the production database.

Key Takeaway

I hope you can see how effective Environment Variables will be for you in your code. They are quite easy to start using. But as with anything - the more you practise using them, the easier they become to use.

Look through your code. Check for any places you are hardcoding values that are dependent on the environment. Some places to look are:

  • database connection - username, password, url
  • api keys and ids
  • path such as your app's url

You can also use Environment Variables in your frontend code. The underlying principle is the same.


dev basics, javascript, managing code