Is it secure way to store private values in .env file?

node.js express security dotenv
17,825

Solution 1

Simple answer is YES, .env is used to store keys and secrets. It is not pushed to your repo i.e. github or bitbucket or anywhere you store your code. In that way it is not exposed.

Here are the tutorial links for correct usage:

Solution 2

It is more secure to store your secrets in a .env file than in the source code itself. But you can do one better. Here are the ways I've seen secrets managed, from least to most secure:

  1. Hard-code the secrets in the code.

    • Pros: None. Don't do this.
    • Cons: Your developers will see your production secrets as part of their regular work. Your secrets will be checked into source control. Both are security risks. Also, you have to modify the code to use it in different environments, like dev, test, and production.

  2. Put secrets in environment variables, loaded from a .env file.

    • Pros: Developers won't see your production secrets. You can use different secrets in dev, test, and production, without having to modify the code.
    • Cons: Malicious code can read your secrets. The bulk of your application's code is probably open-source libraries. Bad code may creep in without you knowing it.

  3. Put secrets in a dedicated secret manager, like Vault by HashiCorp or Secret Manager by Google Cloud.

    • Pros: It's harder for malicious code to read your secrets. You get auditing of who accessed secrets when. You can assign fine-grained roles for who updates secrets and who can read them. You can update and version your secrets.
    • Cons: It's additional technology that you have learn. It may be an additional piece of software that you need to set up and manage, unless it's included in the cloud platform you're using.

So the choice is really between items 2 and 3 above. Which one you pick will depend on how sensitive your secrets are and how much extra work it would be to use a dedicated secret manager. For example, if your project is running on Google Cloud Platform, the Secret Manager is just one API call away. It may be just as easy on the other major cloud platforms, but I don't have first-hand experience with them.

Solution 3

It is yes. An additional security check can be added by using encrypted values. Also avoid to checkin your .env file in public repo.

Solution 4

You can and should store secrets, credentials or private data securely inside a .env is a secure environment config section in your projects, useful for storing API keys and app credentials. Only invited collaborators are able to see the contents of your .env file.

Share:
17,825
hyojoon
Author by

hyojoon

Updated on June 18, 2022

Comments

  • hyojoon
    hyojoon almost 2 years

    I'm trying to build a node.js server with express framework, and I want to store a private key for admin APIs in my server.
    I'm now using .env file to store those values, and in my routes, using that values by calling like process.env.ADMIN_KEY.

    Question
    Is it secure way to handle private datas? or there's another way better than this?

  • Abhik Chakraborty
    Abhik Chakraborty about 4 years
    Most secure way if you are using EBS, store all the secret env under EBS environment variables. And I am sure for other nodejs hosting services have the same capabilities.
  • Yves Ng
    Yves Ng almost 3 years
    I'm confused if it's not pushed to github and I use github repo as source for deployment on some cloud hosting, how will my deployed project use those secret values that lies within that .env?
  • Zeeshan Hassan Memon
    Zeeshan Hassan Memon almost 3 years
    @YvesNg if you're using physical or virtual machine i.e. EC2 or Azure VM etc then you can login in to the server then where your code/repo resides create .env and copy-past its contents. If you're using PaaS i.e. Heroku or something else then you can directly manage en variables without using .env file because they provide option for it.
  • Yves Ng
    Yves Ng almost 3 years
    @ZeeshanHassanMemon so that means manually adding a number of variables. neat xD
  • Jobin S
    Jobin S over 2 years
    what is the use of creating env file on a private codebase?
  • Jobin S
    Jobin S over 2 years
    what is the use of creating env file on a private codebase?
  • Zeeshan Hassan Memon
    Zeeshan Hassan Memon over 2 years
    It is a possible way of keeping secrets hidden and also a way to manage the environment without polluting global stuff.
  • riccardogabellone
    riccardogabellone over 2 years
    @JobinS development and testing purposes

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Node.js Express Framework Security Issues
Toggle between multiple .env files like .env.development with node.js
Node.js + Express.js User Permission Security Model
require('https') vs require('tls')
Socket IO flutter not connecting
How to solve insecure http not allowed by platform flutter?
Flutter How can download pdf file from api
Error: Request failed with status code 400 - AXIOS NODEJS
Is MVC in node.js important for deveolping a restful api?
UnhandledPromiseRejectionWarning: Unhandled promise rejection in _.map in NodeJs