Environment Files
This skill provides comprehensive guidance on handling environment files, including .env files, .env.example templates, and security best practices.
Overview
Environment files contain sensitive configuration data that must be handled carefully. This skill defines what's allowed and forbidden when working with environment variables.
Critical Rules
DO NOT MODIFY
CRITICAL FILES - DO NOT MODIFY WITHOUT EXPLICIT INSTRUCTION:
- •
.envfiles: Never commit or modify environment files (except.env.exampletemplates) - •
.env.local,.env.development,.env.production- All actual environment files - •git configuration files
Allowed Operations
✅ Create/Edit .env.example
ALLOWED:
- •Create/edit
.env.example- template showing required environment variables (no actual secrets) - •Format:
KEY_NAME=example_value_here(with descriptive placeholder values)
Example .env.example:
DATABASE_URL=postgresql://user:password@localhost:5432/dbname NEXT_PUBLIC_API_URL=http://localhost:3000/api OPENAI_API_KEY=sk-your-api-key-here
✅ Template Format Guidelines
When creating .env.example files:
- •
Use descriptive placeholders:
- •
sk-your-api-key-here(not actual keys) - •
postgresql://user:password@localhost:5432/dbname(example connection string) - •
http://localhost:3000/api(example URLs)
- •
- •
Include comments when helpful:
code# Database connection string DATABASE_URL=postgresql://user:password@localhost:5432/dbname # Public API endpoint NEXT_PUBLIC_API_URL=http://localhost:3000/api
- •
Document required vs optional:
code# Required: API key for external service OPENAI_API_KEY=sk-your-api-key-here # Optional: Override default port PORT=3000
Forbidden Operations
❌ Creating or Modifying Actual .env Files
FORBIDDEN:
- •Creating or modifying
.env,.env.local,.env.development,.env.production, or any other .env files - •Never commit actual secrets, API keys, passwords, or sensitive data
- •Never read values from actual .env files
❌ Committing Sensitive Data
FORBIDDEN:
- •Committing
.envfiles to version control - •Including actual API keys, passwords, or secrets in code
- •Hardcoding sensitive values in source files
Backend: defensive defaults and .env persistence
- •In some environments,
.envmay not be persisted. For backend tasks, prefer defensive defaults in code (e.g.process.env.REDIS_URL || 'redis://localhost:6379') and document in.env.example. - •Do not create or modify
.envin the repo; only create or update.env.exampleand document that users copy it to.envlocally. Never commit.env. - •Optionally: use env-based bcrypt cost (e.g.
BCRYPT_ROUNDS) for dev vs prod so tests can be fast without editing source.
Best Practices
1. .gitignore Verification
Always ensure .env files are in .gitignore:
.env .env.local .env.development .env.production .env*.local
2. Template Maintenance
- •Keep
.env.exampleup to date with all required variables - •Document variable purpose and format
- •Include example values that show expected format
- •Mark required vs optional variables
3. Security Checklist
Before committing code, verify:
- •✅ No
.envfiles are staged for commit - •✅
.env.examplecontains only placeholders - •✅ No hardcoded secrets in source files
- •✅
.gitignoreincludes.envpatterns
Integration with Other Skills
This skill works with:
- •git-best-practices: For ensuring
.envfiles are properly ignored - •pre-implementation-check: For verifying environment setup before implementation
Common Patterns
Pattern 1: Creating .env.example
# Create template file cat > .env.example << EOF # Database DATABASE_URL=postgresql://user:password@localhost:5432/dbname # API Keys OPENAI_API_KEY=sk-your-api-key-here # Server Configuration PORT=3000 NEXT_PUBLIC_API_URL=http://localhost:3000/api EOF
Pattern 2: Verifying .gitignore
# Check if .env is ignored git check-ignore .env # Verify .gitignore contains .env patterns grep -E "\.env" .gitignore
Pattern 3: Template Validation
Before committing, verify .env.example:
- •Contains no actual secrets
- •Has descriptive placeholder values
- •Documents all required variables
- •Includes helpful comments
Troubleshooting
Issue: .env File Accidentally Created
Solution:
- •Remove from git tracking:
git rm --cached .env - •Add to
.gitignore:echo ".env" >> .gitignore - •Verify:
git statusshould not show.env
Issue: Secrets in Commit History
Solution:
- •Remove sensitive data from repository
- •Rotate compromised credentials
- •Use
git filter-branchor BFG Repo-Cleaner if needed - •Update
.gitignoreto prevent future commits
Examples
✅ Good .env.example
# Database Configuration DATABASE_URL=postgresql://user:password@localhost:5432/dbname # API Keys (get from service provider) OPENAI_API_KEY=sk-your-api-key-here STRIPE_SECRET_KEY=sk_test_your_stripe_key_here # Application Settings NODE_ENV=development PORT=3000 NEXT_PUBLIC_API_URL=http://localhost:3000/api
❌ Bad .env.example (Contains Actual Secrets)
DATABASE_URL=postgresql://realuser:realpassword@realhost:5432/realdb OPENAI_API_KEY=sk-proj-actualRealKey123456789
Never include actual secrets, even in example files!