.env File Generator by Stack

.env templates per stack

The .env convention was popularised by Heroku's Twelve-Factor App manifesto and Scott Motte's dotenv npm library (2013). The idea is dead simple: configuration that changes between environments — database URLs, API keys, feature flags — lives in environment variables, not in code, and a per-developer .env file makes those variables available during local development. Today every major language has a port: dotenv for Node, python-dotenv for Python, godotenv for Go, dotenvy for Rust.

File format

One KEY=VALUE pair per line. Comments start with #. Values containing spaces or special characters need to be quoted:

# Database
DATABASE_URL=postgres://user:pass@localhost:5432/app
# Auth
JWT_SECRET="a long random string with spaces"
NODE_ENV=development
PORT=3000

• Never commit .env to git — add it to .gitignore. Leaked secrets in public repos are scanned by bots within minutes.
• Commit a .env.example with placeholder values so new contributors know which variables to set.
• The file is read once at process start — runtime edits require a restart.

Stack-specific keys

• Node/Express: PORT, DATABASE_URL, JWT_SECRET, REDIS_URL, NODE_ENV.
• Next.js: NEXTAUTH_URL, NEXTAUTH_SECRET, NEXT_PUBLIC_* (only NEXT_PUBLIC_-prefixed vars are shipped to the client).
• Django: SECRET_KEY, DATABASE_URL, ALLOWED_HOSTS, DEBUG, DJANGO_SETTINGS_MODULE.
• Rails: DATABASE_URL, RAILS_MASTER_KEY, RACK_ENV.
• Laravel: APP_KEY, APP_ENV, DB_*, REDIS_*, MAIL_*.
• Vite: client-side vars require the VITE_ prefix; Create React App uses REACT_APP_.
• Postgres container: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB.

Beyond .env: production secrets

In production, plain-text .env on disk is a liability. Use a managed secret store instead: AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, Doppler, Infisical, or platform-native solutions like Vercel/Netlify environment variables. dotenv-vault (Motte, 2022) encrypts and syncs .env across team members. With Docker, pass secrets via --env-file .env, the docker-compose env_file: directive, or Docker Swarm secrets / Kubernetes Secrets for orchestrated workloads. Never log full env contents — some structured loggers do this by default, and that line in stdout becomes a Splunk query away from disaster.

FAQ

Should I commit .env? No, never. Add it to .gitignore and commit a sanitised .env.example with placeholder values. Public-repo secret scanners (TruffleHog, GitGuardian) catch leaks within hours.

What goes into a .env file? Anything secret or environment-specific: database URLs, API keys, JWT secrets, OAuth client IDs, third-party tokens (Stripe, SendGrid, S3), feature flags. Public, immutable values (like the app name) can live in code.

Should I use .env in production? Prefer a secret manager. If you must, restrict file permissions to 600, mount it as a Docker secret, and never bake it into the image.

What does the NEXT_PUBLIC_ or VITE_ prefix do? It marks variables as safe to expose in the browser bundle. Everything without that prefix stays server-side. Putting a real secret behind one of these prefixes leaks it to every visitor.