What is the 12-factor app methodology for config?
Factor 3 states that config should be stored in environment variables, not in code. Code is logic (same across all environments). Config is variables that change between environments (database URIs, API keys, secrets). Separating them makes your app secure, flexible, and portable.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Environment Variables vs Hardcoded Config Why You Should Never Hardcode Secrets
Hardcoded secrets are committed to Git history forever (even after deletion), visible to all team members, same across all environments (dev and prod share secrets), can't be changed without code modification, and are a serious security risk. Use environment variables instead.
Use env vars for: database URIs, API keys, JWT secrets, email credentials, service URLs, feature flags, logging levels. Hardcode: API route paths, pagination defaults, validation rules, error messages, HTTP status codes anything that's the same in all environments and not a secret.
You use the same code with different .env files for each environment. .env.development has local DB and dev secrets. .env.production has production DB and strong secrets. No code changes needed just swap the .env file. This makes deployment easy and secure.
Still have questions?
Browse all our FAQs or reach out to our support team
