Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!
This Changes Everything About .env Files
|
We’ve all been there – that heart-stopping moment when you realize you’ve accidentally exposed sensitive information. Today, I’m sharing a personal story and introducing a tool that could save you from a similar nightmare. The Nightmare ScenarioLondon, February 2019, I was about to release an infrastructure project I’ve been working on for two weeks. I used the client’s AWS master key for testing. Yes, I know – I’m cringing too 😬. I pushed the container to a public repo for “easier access.” 🤡 Within seconds, an email arrived, cc’ing the entire company leadership about a critical security breach in production. Cold sweat. Near-firing experience. Lessons learned the hard way. The Common PitfallMany developers, especially those working on side projects or open-source repos, face a common dilemma: How do you store secrets locally in a way that’s both secure and convenient? Is it enough to put them in clear text and add them to . The answer is a resounding no. But the solution isn’t always clear. Enter: dotenvxHere’s where dotenvx comes in – a tool that could have saved me a world of pain. dotenvx is a “better .env” with three key features:
Getting Started with dotenvxInstallation is simple: `curl -sfS https://dotenvx.sh | sh # or brew install dotenvx` (I used Nix) Key Features:
Enhancing SecurityWhile dotenvx is a great start, it’s not a silver bullet. I recommend coupling it with security scanning tools like Snyk. These tools can help identify exposed secrets and other vulnerabilities in your project. Multi-Environment Supportdotenvx supports multiple environments (staging, production, etc.) through separate .env files. You can use the Docker IntegrationWhen using dotenvx with Docker, remember to:
The Balanced ApproachWhile .env files remain controversial in professional settings, tools like dotenvx offer a middle ground between security and practicality for side projects and open-source work. Remember, no solution is perfect. Always stay vigilant and use supporting systems to minimize risks. As always, feel free to reply directly with thoughts and comments. |
ESPRESSO FRIDAYS
Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!
I've Been Using AWS Wrong for YEARS... For years, my approach to AWS felt like a battle. As a DevOps engineer and later and architect, building infra always involved a tedious process of carefully building templates and structure, reviewing, deploying, testing and iterating over and over. I’d either spend hours clicking through the console or writing endless infrastructure code, always feeling like I was one misconfiguration away from a headache. It turns out, I was making it much harder than...
You've been lied to about self hosting... This issue is brought to you by: Auth0, my auth provider for the last 6 years. Join their free virtual dev_day on June 18th to learn how to secure AI agents and applications. Save your free spot That title might sound a bit aggressive, but this isn't about hating on hosting platforms. It's about loving the freedom, control, and cost-savings that come from owning your deployment process, without giving up the slick, easy experience we all love. And...
How DHH Solved Deploying to Production (with Open Source) Ever felt depressed by the sheer complexity of getting your application live and serving users? You’re not alone. But what if deploying to production, even (or especially) across multiple servers, could be straightforward and more importantly, free? That’s the reality DHH, the creator of Ruby on Rails and CTO of Basecamp & HEY, wanted to create, and he delivered with an open source tool called Kamal. DHH’s approach to technology always...