What is a .env file?

A .env file stores environment variables as KEY=VALUE pairs. Libraries like dotenv (Node.js), python-dotenv, and many frameworks load these files at startup to configure your application without hard-coding secrets or settings in source code.

Supported syntax

KEY=value: basic entry
KEY="value with spaces": double-quoted (supports \n, \t escapes)
KEY='literal value': single-quoted (no escape processing)
export KEY=value: shell export prefix (stripped)
# comment: full-line and inline comments
Blank lines are preserved

Privacy notice

All processing happens entirely in your browser. Your .env content (including secrets and API keys) is never sent to any server.

Best practices

Never commit .env files to version control: add them to .gitignore
Commit a .env.example with placeholder values instead
Use different .env files per environment (.env.development, .env.production)

dotenv libraries by ecosystem

Language / Runtime	Package	Install command
Node.js	`dotenv`	`npm install dotenv`
Python	`python-dotenv`	`pip install python-dotenv`
Ruby	`dotenv` gem	`gem install dotenv`
Go	`godotenv`	`go get github.com/joho/godotenv`
PHP	`phpdotenv`	`composer require vlucas/phpdotenv`

Never commit .env files

If you accidentally commit a .env file containing secrets, simply adding it to .gitignore afterward is not enough - the file remains in your repository history. Remove it and rotate all exposed credentials immediately:

git rm --cached .env
git commit -m "Remove .env from tracking"
git push

For secrets already published to a remote, assume they are compromised. Rotate API keys, passwords, and tokens before anything else.

Variable naming conventions

SCREAMING_SNAKE_CASE is the universal convention for environment variable names (DATABASE_URL, not databaseUrl). Prefix variables with the service name to avoid collisions in large projects:

DATABASE_HOST, DATABASE_PORT, DATABASE_NAME
REDIS_HOST, REDIS_PORT
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY