Using environment variables for secrets
Keep API keys and passwords out of your code
⏱ Est. ~7 min
01 · Read
The mistake that has cost companies millions of dollars: committing API keys and passwords directly into source code.
Once a secret is in git history, it's there forever. Even if you delete it in the next commit, anyone who clones the repo can find it in history. Bots actively scan GitHub for accidentally committed keys and exploit them within minutes.
The solution is simple: environment variables. Instead of writing secrets in your code, you store them in a .env file that's never committed. Your program reads the values at runtime, and your secrets stay safe.
💡 Picture thisThink of environment variables as the office safe. You don't tape the password to your screen (that's hard-coding in the code). You lock it in the safe (the .env file) and take it out when you need it. And you certainly don't photocopy the safe's contents and hand them out to everyone (committing to git).
02 · Read
You inherit a Node.js app with a serious problem: secrets are hard-coded into the source. Let's find them, then fix the setup so the secrets are stored safely.
03 · Terminal exercise
First, find any hard-coded secrets in the code. Use grep to search for anything that looks like an API key or password.
(This section is interactive — please enable JavaScript.)
04 · Terminal exercise
Now create a .env file to store the secrets safely. This file holds the real values, and we'll make sure it's never committed to git.
(This section is interactive — please enable JavaScript.)
05 · Terminal exercise
The most critical step: add .env to .gitignore so it's never committed. Without this, git add . will sweep your secrets into the next commit.
(This section is interactive — please enable JavaScript.)
06 · Code example
Here's what the fixed app.js looks like. Instead of hard-coded values, it reads from process.env after loading .env.
app.js — using env vars (fixed)
require('dotenv').config();
const express = require('express');
const app = express();
// Secrets come from .env, not hardcoded
const API_KEY = process.env.API_KEY;
const DB_PASSWORD = process.env.DB_PASSWORD;
const PORT = process.env.PORT || 3000;
console.log('API key loaded:', API_KEY ? 'Yes' : 'No');
// NEVER log the actual key value!
process.env reads from the .env file after dotenv loads. || 3000 gives a default when PORT isn't set — a common pattern that lets your app run even without a .env.
07 · Quiz
Why should you never commit a .env file to git?
- It contains secrets that would be exposed to anyone who clones the repo
- It makes the repo too big
- Git doesn't support .env files
- .env files only work on your local machine
08 · Fill in the blank
In Node.js with dotenv, you access an environment variable called API_KEY with process._____.API_KEY.
09 · Checklist
Your environment variable safety checklist. These three steps should become instinct on every project.
- .env is listed in .gitignore
- I never log real secret values
- I created a .env.example with placeholder values
Other lessons in this chapter
⚠ The full interactive experience needs JavaScript. Please enable it and reload.
※ This is an independent Traditional Chinese teaching project — not an official Anthropic product. Claude™ is a trademark of Anthropic, PBC.