How to Create and Use .env Files (2026)
Environment variables keep sensitive configuration out of your source code. API keys, database credentials, third-party tokens, and deployment-specific settings all belong in .env files rather than hardcoded in your application. This guide covers .env file format, naming conventions, loading strategies across languages, and security best practices.
- Covers .env file format.
- Covers variable naming conventions.
- Covers loading .env in your language.
- Covers security best practices.
.env File Format
A .env file is plain text with one variable per line in KEY=value format. No spaces around the equals sign. Values can optionally be quoted: DATABASE_URL="postgres://user:pass@host/db". Comments start with #.
Group related variables together with blank lines and comments for organization. Put database config together, API keys together, and feature flags together. This makes .env files scannable as they grow.
Boolean values should use consistent formatting: true/false, 1/0, or yes/no. Pick one convention for your project and document it. Most libraries treat any non-empty string as truthy, which can cause subtle bugs.
Variable Naming Conventions
Use SCREAMING_SNAKE_CASE: all uppercase with underscores between words. This is the universal convention across languages and platforms. DATABASE_URL, API_KEY, SMTP_HOST follow this pattern.
-webkit-backdrop-filter alongside backdrop-filter for Safari support. Without the prefix, the effect is invisible to roughly 25% of mobile users.Prefix related variables with a common namespace: DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASS. This groups variables visually and prevents naming collisions when you have many services.
Avoid generic names like KEY, URL, or SECRET. Always include the service name: STRIPE_API_KEY, SENDGRID_API_KEY, AWS_SECRET_KEY. This prevents confusion when you have multiple similar variables.
Loading .env in Your Language
Node.js: install the dotenv package (npm install dotenv) and add require('dotenv').config() at the top of your entry file. All variables become available as process.env.VARIABLE_NAME.
backdrop-filter inside a position: fixed element can cause severe scroll performance issues. Test thoroughly on real iOS devices.Python: install python-dotenv (pip install python-dotenv) and use from dotenv import load_dotenv; load_dotenv(). Variables are accessible via os.environ['VARIABLE_NAME'].
Docker and Docker Compose load .env files automatically from the project root. In docker-compose.yml, use env_file: .env or reference variables directly with $VARIABLE_NAME.
Security Best Practices
Never commit .env files to version control. Add .env to your .gitignore immediately when creating a new project. This is the single most important .env security rule.
Create a .env.example file with all required variable names but placeholder values: API_KEY=your-api-key-here. Commit this file so teammates know which variables they need to configure.
Rotate secrets regularly. If a .env file is accidentally committed, immediately rotate all credentials it contains. Git history preserves the file even after deletion, so anyone with repository access could find it.
Use different .env files for different environments: .env.development, .env.staging, .env.production. Never use production credentials in development โ a bug in development code could affect production data.