undefined | Better HN

0 pointsgraemep1y ago0 comments

The problem with .env files is that you are doing both.

You have a .env file that is in the same directory as your code and you just copy to to env vars at some point. This does not even meet the security principles that dotenv is supposed to implement!

I think people are blindly following the advice "put secrets in env vars" without understanding that the point of it is to keep secrets outside files your app can read - because if you do a vulnerability or misconfiguration that lets people read those files leaks the secrets.

What you can do is have environment vars set outside your code, preferably by another user. You do it in your init system or process supervisor. Someone mentioned passing them in from outside a docker container in another comment.

0 comments

skissane1y ago

> people are blindly following the advice "put secrets in env vars" without understanding that the point of it is to keep secrets outside files your app can read - because if you do a vulnerability or misconfiguration that lets people read those files leaks the secrets.

The problem with this is that, on Linux, the environment is a file, /proc/self/environ

And yes, as has been mentioned in some other comments, the process memory is also a file /proc/self/mem - but it is a special file that can only be read using special procedures, whereas /proc/self/environ behaves much more like a normal file, so a lot of vulnerabilities that enable reading /proc/self/environ wouldn’t enable reading /proc/self/mem

Technically one workaround on Linux is to not mount /proc (or at least not in your app’s container) - but doing that breaks a lot of things

anentropic1y ago

Yes... surely the point of .env file is as a shortcut to provide env vars for local development

.env file shouldn't be used in production, env vars should be injected directly

graemepOP1y ago

I agree that is what should happen. That is not what dotenv does though: https://www.npmjs.com/package/dotenv#-documentation

anentropic1y ago

I think dotenv would be fine as long as it doesn't raise exceptions if no .env file is found, i.e. if it works just as a helper for local dev and as a no-op for production

I notice the dotenv docs are recommending dotenvx now in places: https://www.npmjs.com/package/dotenv#-manage-multiple-enviro...

graemepOP1y ago

I have seen many .env files in production. SOme junior devs told me it was what they had been taught to do.

j / k navigate · click thread line to collapse

0 comments

skissane1y ago

The problem with this is that, on Linux, the environment is a file, /proc/self/environ

Technically one workaround on Linux is to not mount /proc (or at least not in your app’s container) - but doing that breaks a lot of things

anentropic1y ago

Yes... surely the point of .env file is as a shortcut to provide env vars for local development

.env file shouldn't be used in production, env vars should be injected directly

graemepOP1y ago

I agree that is what should happen. That is not what dotenv does though: https://www.npmjs.com/package/dotenv#-documentation

anentropic1y ago

I think dotenv would be fine as long as it doesn't raise exceptions if no .env file is found, i.e. if it works just as a helper for local dev and as a no-op for production

I notice the dotenv docs are recommending dotenvx now in places: https://www.npmjs.com/package/dotenv#-manage-multiple-enviro...

graemepOP1y ago

I have seen many .env files in production. SOme junior devs told me it was what they had been taught to do.

j / k navigate · click thread line to collapse