Table of Contents

Environment Variables

Written on by Jessica Agorye

Estimated read time 10 minutes
Hosting Services Explained

Environment Variables – What They Are and Why They Matter for Hosting

It's common for developers to use third-party software to add certain features to their application. For example, when developers integrate external services using an API into their applications, they are given an API key for access to the resources for security reasons.

Developers use environment variable, to store the API key and other configurations the application needs for safety and consistency. 

Furthermore, environment variables are also configured within hosting environments to secure sensitive data the application needs to run efficiently.

In this article, we’ll see what environment variables are, their importance and why they matter for hosting.

TL; DR

Environment variables are key value pairs that store configuration of your application. They are stored in a .env file outside of the source code, and are commonly used to store API Keys, URLs and other variables that would be reused repeatedly within the application.

They are used for storing secrets, but they should only be used within your local environment, and not within a public repository to avoid security risk.

During production stage environment variables can be configured within the hosting platform to connect to components that the application needs to run smoothly.

50%

SAVE UP TO 50% ON VERPEX YEARLY RESELLER HOSTING PLANS

with the discount code

AWESOME

SAVE NOW

What are environment variables?

Environment variables are key value pairs that store configuration of your application and they determine how your application behaves in different environments. They are stored in outside of the source code, and live in the .env file.

An environment variable is provided by the environment in which the code is running, and developers can use then where they are needed within the code.

In other words, if you have a variable that would be used repeatedly, instead of repeating code within your source code, you can store it in a .env file, and the application then reads this variable from the .env file.

Environment variables are commonly used to store API keys. When working with an API, the provider provides a key to connect their service to your application.

To secure the API key, and protects it from being seen, instead of hard coding and storing it within a source file which will be pushed to a public repository, you should store it inside an environment variable.

Environment variables is used for data that changes whether it running in production, development or staging, and it allows developers to run application in different environments without changing their code. 

Common use cases of environment variables

  • Used to configure application environment. 

  • Used to store sensitive information such as API key, tokens, or password.

  • Used to store HTTP port for the application to listen to 

  • Used to store API endpoints.

Benefits of Environment Variable

Prevent Hardcoding Sensitive Information: Saving secret tokens, URL links, API keys directly in your code poses a risk if the code is made public and compromised. Environment variables store sensitive values outside your code which can prevent them from being exposed to security risks. 

Secure Management without Code Changes: Environment variables allows developers switch between environments like development, testing or production an change credentials without touching your code which leads to a cleaner workflow.

Secret Handling in Production: When an application is pushed to production, environment variables can be made secure by using secret management tools like HashiCorp vault to add an extra layer of security including encryption and control over who has access to the data, audit logs, and so on.

Reduces Risk of Exposing Sensitive Data: When an error occurs that exposes critical information such as committing code to a public repository, using environment variables with other secure management practices reduces the chance of the exposure leading to security breaches. 

Limitations of Environment Variables

Security Risk: Environment variables can be exposed to security risk if best practices aren’t followed. For example, if a developer logs the entire environment variables to a monitoring tool, anyone with access can see the sensitive information.

No Central Audit: Environment variables store values in system memory or configuration, and they do not keep any record of who created them, changed or edited them, so when a secret key is leaked it is difficult to track where it is coming from. 

Pushing .env File by Mistake: If you push a .env file by mistake, it becomes exposed. To fix the error, you can quickly remove the file from Git history and then change the exposed keys.

How Environment Variables are used in a React App

React has built-in support for environment variable, so you do not have to install any package and react reads the variables from the .env files without requiring any setup.

Environment variables are written in .env file created in the root directory of an application.

To create a custom variable you must use the prefix REACT_APP_

Inside the .env file, each line defines a variable with the format
REACT_APP_VARIABLE_NAME = value as shown in the image below. 

If you use VITE, it is similar to CREATE REACT APP. Instead of REACT_APP_, Its prefix is VITE_ 

E.g., VITE_API_URL_KEY= value (API key).

Note: You do not have to add APP after VITE_ when naming variables, it isn’t necessary, the most important is the prefix VITE_

To access these variables using CREATE REACT APP, you have to use process.env.REACT_APP_ the variable name like so;

process.env.REACT_APP_API_KEY

For example, if you want to make an API call, you would use the API URL in your project like so; 

const apiUrl = process.env.REACT_APP_API_URL (Remember that the url is stored in the .env file)

And for Vite, you have to use import.meta.env. VITE_API_KEY to access stored variables.

Note:  The way environment variable is used in the frontend is different from the backend environment (e.g., Node.js). If you’re using environment variable for the frontend, there are rules you have to follow. 

The naming rules and conventions include:

  • Variable name should start with REACT_APP_ or VITE_

  • Variables are embedded in the build, therefore, do not store secrets like private JWT secret, tokens, or database passwords in the .env file.

Environment Variable in Node Environment

If you are working with the backend and using Node.js, you create the environment variable file in the server root folder of your project. 

create the environment variable file

Then, add the variables you want to store in the file.

add the variables you want to store in the file

After storing the variables in the .env file, Install  npm install dotenv  so that node can read the file and your server can access the values. 

Install npm install dotenv

To use the variables within the .env file inside your server file, require dotenv as shown in the image below.

use the variables within the .env file

When you run the server, you should see environment variable loaded as shown in the image below.

see environment variable loaded

In the image above the server isn’t running on the default port but the one specified in the .env file. This means that the dotenv package is installed has successfully read the .env file.

Why does environment variable matter for Hosting? 

Environment variable protect sensitive data like payment gateway keys, database passwords, API keys, etc. They make hosting your application secure and they also control how your application behaves on a hosting server. If they are not configured correctly, the application may expose sensitive data or fail to connect to services when in production. 

How do you deploy and run in production if you can't push .env ?

.env file is not pushed during production, It is usually added to .gitignore file so that it prevents Git from pushing its data to the repository, and then you can set the variables in the hosting platform.

.env file is for your local development. For production, hosting platforms provide secure environment systems you have to configure to allow the server access stored variables using process.env or importmeta.env during build or runtime.

Environment variables alone aren’t the only way to secure sensitive data, many engineering teams use a dedicated secrets management service to solve problems of secrets.

Some management services have a centralised encrypted location where all .env file are stored for example AWS secret manager supports automation of secrets which means that it can rotate or updates secrets without you having to manually change them.

Also doppler a modern secret management service allow you store secret keys for apps and fetch them at runtime.

50%

SAVE 50% ON VERPEX YEARLY SHARED HOSTING PLANS

with the discount code

AWESOME

SAVE NOW

Summary 

Environment variables are crucial for securing sensitive data that the application needs, for instance API keys, secret tokens, and much more.

It is also used to store reusable data like API URLs so that you don’t have to write them in your code explicitly every time you need them, just like how you’d create a reusable component.

It is also good practice to ignore environment variable files when pushing to a public repository during production to avoid the risk of exposure, they should be configured in the hosting environment instead.

Additionally, environment variables allow the hosting platform determine how to configure your application safely, and how to connect features like database or APIs. If the environment variable is not configured correctly, it can cause loss of connection to database or not fetch API data.

Frequently Asked Questions

Yes, you can. Use WordPress HTTP API functions to make requests. Secure API keys, handle responses appropriately and consider caching for better performance.

Yes, many monitoring services offer API integration, allowing you to connect monitoring data to other tools, applications, or scripts for customized automation and reporting.

APIs facilitate easy integration between cloud services and existing systems by allowing different software applications to communicate, enabling automation, customization, and enhanced functionality.

Verpex Web Development Hosting caters specifically to developers' needs by offering support for a wide range of programming languages, pre-installed development tools, and scalable resources to accommodate the growth of your project.

View more posts by Jessica Agorye

You may also like

Domain Reseller vs. Hosting Reseller: Can You Do Both?
Domain Reseller vs. Hosting Reseller: Can You Do Both?
Learn how to profit as a domain and hosting reseller. Compare both models and discover smart strategies to run them together under one seamless brand.
Yetunde Salami
9 min read
How Domains and IP Addresses Work Together to Load a Website
How Domains and IP Addresses Work Together to Load a Website
How domain names, DNS, and IP addresses work together to load a website, from URL entry and DNS resolution to servers, performance, and reliability.
Yetunde Salami
7 min read
Reverse Proxy vs Forward Proxy – What They Do on a Hosting Server
Reverse Proxy vs Forward Proxy – What They Do on a Hosting Server
In some cases, individuals or organizations may want to conceal their IP address and remain anonymous when visiting a website. They use a proxy as an intermediary
Jessica Agorye
9 min read
Hosting Migration: Do THIS Before You Move
Hosting Migration: Do THIS Before You Move
In this complete guide, you’ll learn everything you need to know about hosting migration. We’ll show you how to migrate safely, along with highlighting the steps you should follow to prepare your website in advance.
Danny Maiorca
9 min read