Inside your NodeJS app you’ll have an environment variable (which is inside the root of your app folder as an .env file). This file stores critical info like the connection string which includes username and password to connect to your database such as MongoDB. It can also include other security info like JWT token numbers.
Since the .env file contains sensitive information, if pushed to a public repository (like GitHub), this data can be accessed by anyone, leading to security vulnerabilities like unauthorized access to services or breaches. That’s why you should never push .env remotely to the database.
So, how do you prevent the .env file from being pushed?
Use a .gitignore file :- This file tells Git to ignore certain files or directories when committing changes to the repository. Here are the steps :
- Create a .gitignore file in the root of your project
- Add the following line :
.env- Save the file. Git will now ignore .env for your future commits
If I don’t push the .env file, how do I configure and make my website or app go live?
Instead of sharing .env files, you can configure environment variables directly on your server or deployment platform (e.g., AWS, Vercel, Heroku). If your teammates need the file, share it securely via tools like encrypted messaging or a secure file-sharing platform. Even better, share it via USB Flash Drive by physically carrying it to your office or workplace to hand it over to the designated person.
You can also consider using tools like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault for managing secrets in a secure manner.