What is the credential security checklist for production?
IAM roles on EC2 (not access keys), Secrets Manager for secrets, least privilege IAM policies, MFA on all users, pre-commit hooks, GitHub Secret Scanning, secret rotation strategy, encrypted backups, CloudTrail audit, and a disaster recovery plan. Rotate secrets immediately if leaked.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in dotenv and Credentials Summary Complete Security Checklist for Node.js
Install dotenv, create .env with secrets, create .env.example with placeholders, add .env to .gitignore, load dotenv at the entry point, centralize config in a config module, validate required variables, use IAM roles on EC2, use Secrets Manager for production, and set up pre-commit hooks.
.env, .env.local, .env.*.local, *.pem, *.key, credentials.json, service-account.json. Also ignore logs, node_modules, and OS files. Check with git log -p --all -- .env to ensure .env was never committed.
Use envalid's cleanEnv to define a schema with types, choices, defaults, and minLength. It validates all variables, type-casts them, provides defaults, and throws an error at startup listing all missing or invalid variables. This fails fast instead of failing later with confusing errors.
Still have questions?
Browse all our FAQs or reach out to our support team
