Development vs. Production Environment
When it comes to editing config files, whoever has the task has complete access to the .env with every secret in the file. It’s obvious why this is a major issue when it comes to production and leaking sensitive information.
The localhost is a hostname that refers to the current device used to access it. It is used to access the network services that are running on the host via the loopback network interface.
Typically, a server in a development environment allows unrestricted access to and control by a user or group of users. A production server, on the other hand, is configured to restrict access to authorized users and to limit control to system administrators. For example, in a development environment anyone might be allowed to shut down the server, whereas, in a production environment, only an administrator with appropriate privileges would be allowed to stop a running server.
DB_ENDPOINT = https://app.website.com/db/v1DB_USER = adminDB_PASSWORD = d9v3ndik!3$#0fn8EL2naQF
Leaving the file within the repository is truly only acceptable for localhost development of a website application. Once deploying to a dedicated development server, it would be best to have those settings treated as if it were production to best simulate reality. It makes sense to keep the file within the repository to help with versioning, but this is where we would want a better approach. Chances are once the localhost is setup, the config files can be stored with a shared development setup and all access to the generic information.
When we go to a real server, this calls for a separate config server to store both the development and production .env files. Depending on choice of dedicated config server, you may have added features for versioning. Regardless, information can be stored in a different location for only those that require access to update sensitive information may deploy the data independent of the entire web application.
A hosting solution such as Heroku or Netlify allow for publishing applications or websites with sensitive environment variables. Many cloud services can function as a config server like AWS Parameter Store, Google Secrets Manager, or HashiCorp Vault for the open-source enthusiasts. With a config server, all sensitive information is centralized, encrypted, and only be accessible by applications and users you approve.