.env-
| Practice | Rationale |
|----------|-----------|
| Use .env.example | Provide a template with dummy values and clear placeholders. |
| Keep it minimal | Only store variables that change per environment (DB credentials, API keys, feature flags). Hardcode truly constant values. |
| Validate at startup | Application should crash early if required variables are missing or malformed. |
| No secrets in client-side code | .env files are for server-side or build-time only. Never bundle secrets into frontend JavaScript. |
| Use prefix naming | e.g., APP_, DB_, API_ to avoid collisions with system variables. |
| Production alternative | For deployed apps, use platform environment variables (Heroku, AWS ECS, Kubernetes ConfigMaps/Secrets) rather than on-disk .env files. |
In the modern landscape of software development, the humble .env file has become as ubiquitous as index.js or main.py. It is the standard bearer for configuration management, holding the keys to our digital kingdoms—API secrets, database passwords, encryption salts, and cloud credentials.
But a new pattern has emerged in the developer lexicon, often whispered about in post-mortem meetings and Slack channels: .env- (dot-env-dash). | Practice | Rationale |
|----------|-----------|
| Use
You might have seen it as .env-production, .env-staging, .env-backup, or .env-old. While seemingly innocent, the use of a hyphen after the .env prefix represents one of the most common, yet easily fixable, security vulnerabilities in web applications today.
In this deep dive, we will explore what the .env- pattern is, why it breaks the rules of standard .env loaders, the catastrophic security risks it introduces, and how to refactor your workflows to keep your secrets secret. The hyphen is the critical character
First, let's define our terms. The standard Twelve-Factor App methodology dictates that configuration should be stored in environment variables. To make local development easier, developers use .env files—plain text files listing key-value pairs (e.g., DB_PASSWORD=supersecret).
The .env- pattern refers to any file that begins with .env followed immediately by a hyphen and then a modifier. Common examples include: an underscore ( _ )
The hyphen is the critical character. It is not a dot (.), an underscore (_), or a slash (/). It is a dash. And in the world of glob patterns, libraries, and operating systems, the dash changes everything.
While the .env file is a staple of local development, the industry is slowly moving past the physical file for production.
Modern secrets management tools (like HashiCorp Vault, AWS Secrets Manager, or Docker Secrets) allow applications to fetch passwords from a secure vault at runtime rather than reading them from a text file sitting on a hard drive.
While this is more secure, the .env file remains the king of local development. It is quick, dirty, and universal.
