0

What is the difference between storing sensitive credentials in a credentials.js file as opposed to an .env file?

With module.exports you can write:

const KEY = require("./credentials.js");

Whereas with .env files you can write:

const KEY = process.env.KEY;

In both cases you accomplish the same goal of making some variable "global" and accessing it globally. Why do people use .env and dotenv instead of just using Node's built in module.exports system?

bsb21
  • 45
  • 1
  • 8

1 Answers1

0

Environment variables are meant to be defined on the machine (system). The environment variables can be used on multiple application running on the same system.

Exported variables are only limited to the application you are running.

In your case: If you want to deploy your application on 3 servers (Dev, QA, Prod) but on with different credentials, it doesn't make sense to change the credentials every time when deployment. Even if you define credentials for every server it has to be static and if you want to change it, you must do changes in file and deploy the app again to reflect the changes. In case of environment variables, you just have to change it on the targeted system and restart the server, so there is no need to deploy the app again.

It becomes a mess to manage when there are changes in more than one environment variables. Also, environment variables are useful when it comes to integration with other services.

For security in environment variables, you can read this

When storing credentials:

  • There is risk of exposing credentials to version control system when stored in config file
  • It doesn't matter where credentials are stored, if the system is compromised
  • You can use a runtime configuration file. Find it here
Abhishek Pankar
  • 723
  • 8
  • 26