What should be in .gitignore for credentials?
.env, .env.local, .env.*.local, *.pem, *.key, credentials.json, service-account.json. Also ignore logs, node_modules, and OS files. Check with git log -p --all -- .env to ensure .env was never committed.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in dotenv and Credentials Summary Complete Security Checklist for Node.js
Install dotenv, create .env with secrets, create .env.example with placeholders, add .env to .gitignore, load dotenv at the entry point, centralize config in a config module, validate required variables, use IAM roles on EC2, use Secrets Manager for production, and set up pre-commit hooks.
Use envalid's cleanEnv to define a schema with types, choices, defaults, and minLength. It validates all variables, type-casts them, provides defaults, and throws an error at startup listing all missing or invalid variables. This fails fast instead of failing later with confusing errors.
All the same keys as .env but with placeholder values (replace_with_your_secret, mongodb://localhost:27017/devtinder). This serves as a template for new developers. Never put real secrets in .env.example. It should be committed to Git.
Still have questions?
Browse all our FAQs or reach out to our support team
