Where should I store secrets in a Node.js project?
In environment variables loaded with dotenv. Keep secrets in a .env file and add .env to .gitignore. Never hardcode secrets in source files.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Mistakes When Starting a Node.js Project (and How to Avoid Them)
No plan, no folder structure, secrets in code, no input validation, no error handling, plain-text passwords, JWT in LocalStorage, no health check, blocking the event loop, and no logging.
In an httpOnly, secure, sameSite cookie. LocalStorage is open to XSS and is risky. Cookies configured correctly are safer.
Because you cannot trust the request body. Missing fields or bad types can crash the server or cause data corruption. Validate early with a library like zod or express-validator.
Still have questions?
Browse all our FAQs or reach out to our support team
