The key point here being to not commit this file to the remote repository.
waffle
Typically, you'd use a .env file for your local dev environment. On the production machine, you'd set those values in the OS's actual environment variables. That's the nice thing about dotenv is that it lets you use the same code to do both without even needing to do environment checking.
IceMetalPunk
Title is totally accurate.
I once didn't do this and literally died.
n.w.
Its protection against repos attacks as long as you put it on git ignore.. you might as well have it as any text file type not .env exclusively.. usually there are env field in your hosting that means you can use env fields without .env file
qrjftvx
If security is very important then using a key vault is safer. This tool is primarily nice if you are going to use environment variables where you are deploying your code, and as a bonus it helps you avoid commiting secrets to git as long as you don't commit the file.
kkiimm
You should use the secret variables as environmental variables *on server* .
Because a file with every secret variable in the project is pretty bad.
dany_fg
That’s a good option, but the env-file still exposes the password which might be an issue depending where it’s located and who has/needs access to it.
That’s why i used the keyring library. It’s supporting multiple platforms using their mechanisms for storing passwords/credentials in a save way.
DiRo
The moment he started explaining this I knew what he was gonna do
Akaiiro
But what’s the difference of just making a “secrets.txt”
禁-nx
I always use the "keyring" package.
KeithDart
If you're like 95% of people who develop something at work, then you'll have a cloud account anyway. Which means you have a secret manager. Which means this is completely unnecessary because you can store and retrieve credentials there.
chrism
I wouldn't call env particularly safe. /proc
DepressedNOF
So Nice! Usually I create a txt with all project secrets information, and call a function to convert every row from the txt to a key->value of a dict.
LuizGustavo-dzwo
Yeah using a third party module to get your key from where you save all your keys sounds secure...
tomasseeber
You'd think this is the first thing programmers get taught, but at my new company I found the secrets for all environments just committed to the repo.
WillHuizenga
If you want to implement it, you need to check the key. And how exactly are you going to do that?
matthewlui
i use python decopule and its very easy to hard code
itisazman
Just use environmental variables, way easier and don’t have to worry about accidental commits.
JonnieZuramski
I wish there was a better way for hardcoding secrets for client applications without a server :/
Mempler
Why are we stealing a job of setting environment variables from a process that is supposed to run our code (terminal, systemd, docker, etc)?
dotenv package is a strange package that creates a confusion between environment variables and config files. :-)
