unknown

Storing secrets in environment variables is insecure, commonly leading to poorly managed secrets, potential SSR leaks, and risk of secret exposure via logs and process lists. It is advised to use secrets management services or mechanisms like Kubernetes sidecar containers and cloud vendor secrets services to handle sensitive information securely, thereby reducing security risks and ensuring better secret management practices.

Do not use secrets in environment variables and here's how to do it better

News, updates, and discussions about everything happening in and around the Node.js runtime.

Node.js developers

❌ Stop storing secrets in environment variables. It's a bad practice and only fits hobby or side projects with no real business impact. Here are all the reasons why you should never store secrets in environment variables and how to do it better.

❌ Stop storing secrets in environment variables. It's a bad practice and only fits hobby or side projects with no real business impact. Here are all the reasons why you should never store secrets in environment variables and how to do it better.

The article brings up some valid points, but I still think environment variables can be a secure and practical way to manage secrets if handled right. Honestly, most of the issues the author mentions—especially in ‘Reason 1’—can be sorted out with proper security measures. In my experience, using env vars is pretty common even in highly regulated environments. Remember, security is like an onion—it has layers :)

nice! I store secrets in production where instead of the secret itself, they’re more of a url actually on a different domain which require a certain password to get (AES256 encrypted version of the environment variable name with a secret encryption key stored hard in a file) and once fetched, that’s the real value.

I don’t completely agree, but it is a great article.

<a href="https://app.daily.dev/ramimetry" data-mention-id="zblkRv8Dewuzte9bNrZm6" data-mention-username="ramimetry">@ramimetry</a>