You can pass a .env file directly using the --env-file flag. Common Pitfalls to Avoid
Your app likely behaves differently on your laptop than it does on a production server. Environment variables allow you to change settings without touching a single line of code.
Many security standards (like SOC2 or PCI-DSS) strictly forbid storing plaintext secrets in codebases. Best Practices for Working with .env 1. The .gitignore Rule (Non-Negotiable)
Do not use spaces around the equals sign (e.g., KEY = VALUE will often fail; use KEY=VALUE ).
Here is a deep dive into why .env files matter, how to use them correctly, and the "gotchas" you need to avoid. What is a .env File?
Most programming languages have a standard library or package to handle these files:
If you accidentally commit a .env file, simply deleting it in a new commit isn't enough—it stays in the Git history. You must rotate your keys immediately and use a tool like BFG Repo-Cleaner to scrub the history.
Prefix your variables (e.g., MYAPP_PORT instead of just PORT ) to avoid clashing with system-level variables.
Use the dotenv package. require('dotenv').config() or import 'dotenv/config' . Python: Use python-dotenv . PHP: Use phpdotenv .
Since you aren't committing your actual secrets, your teammates won't know which variables they need to run the app. Create a template file called .env.example with the keys but none of the real values: PORT=3000 DATABASE_URL= STRIPE_API_KEY= Use code with caution. 3. Environment-Specific Files