Environment variables, or keeping your secrets secret in a Node.js app
Imagine you have some Node.js code that uses an external API which needs an API key:
If we commit the above code to GitHub we divulge our secret API key allowing someone to use our account. This isn’t a rare event — many developers accidentally commit their credentials and others seek them out for nefarious purposes!
Keeping your secrets secret
Credentials are usually hidden in environment variables that your application can pick up when it runs. Our code now looks like this:
We expect an environment variable called
MYAPIKEY to be there when our code runs. This file can now be safely committed to git.
Setting environment variables
On the command-line, environment variables can be set using
export on Mac/Linux and
set on Windows e.g.
Once set, you can run your application in the usual way e.g
As a shortcut, you can define environment variables and run the app in a single line:
MYAPIKEY=ndsvn2g8dnsb9hsg node app.js
Using the dotenv package
A simple way of defining multiple environment variables on your local machine is to use the dotenv package.
.env file at the top of your project containing the environment variables you want to set:
Then at the entry point in your code add:
which loads the values from the
.env file into your application's
.env file can be excluded from any git commits by adding a
.env line to your .gitignore file.
Environment variables in Bluemix
Bluemix sends its configuration to its CloudFoundry applications through environment variables:
VCAP_SERVICES- a JSON-encoded object describing the services that are paired with your application
VCAP_APPLICATION- a JSON-encoded object describing your application's meta data
- custom environment variables can be defined in the Bluemix dashboard and are available to read in your application’s