.env.development
Create an .env with vanilla defaults. Then, load .env.development to override. Finally, load .env.local for machine-specific overrides.
// Advanced dotenv setup
require('dotenv').config( path: '.env' );
if (process.env.NODE_ENV === 'development')
require('dotenv').config( path: '.env.development', override: true );
if (fs.existsSync('.env.local'))
require('dotenv').config( path: '.env.local', override: true );
If you use Docker for local development, you can bridge your .env.development directly into your containers.
# docker-compose.yml
version: '3.8'
services:
api:
build: .
env_file:
- .env.development
ports:
- "$PORT:3000"
Now, running docker-compose up automatically injects your dev variables.
| File | Git? | Typical use |
|------|------|--------------|
| .env.development | yes | shared dev defaults |
| .env.development.local | no | local overrides |
| .env | yes | base defaults (all envs) |
| .env.production | yes | production only |
Use .env.development to make your npm run dev experience consistent, safe, and configurable.
In the world of coding, .env.development is the secret notebook where developers keep their local project settings—like private API keys or database links—safe and separate from the "real" live site.
Here is a short story about a developer, a late-night mistake, and the file that saved (and nearly ruined) everything. The Keeper of Secrets
The clock on Elias’s taskbar hit 2:14 AM. His eyes were bloodshot, reflected in the glow of three monitors. He was building "Echo," an AI-driven storytelling app, and he was close to a breakthrough.
In the root folder of his project sat the most important file: .env.development . Inside it, Elias had stored his digital lifeblood: OPENAI_API_KEY : The expensive key that powered Echo’s brain. DATABASE_URL : The link to his local testing ground. DEBUG=true
: The switch that told the app to show him every error, no matter how messy.
Elias had a golden rule, one he’d learned the hard way after a $1,200 AWS bill three years ago: Never, ever push your secrets to GitHub. He checked his .gitignore file one last time. was safely listed there. "Ready," he whispered. npm run dev .env.development
. The terminal bloomed with green text. Echo was alive, pulling the "draft" status variables from the development file to show him unpublished stories. On his screen, a digital narrator began to spin a tale about a lost robot.
Elias leaned back, satisfied. But in his exhaustion, he decided to do one final "clean up." He opened a new file to share with his collaborator, Sarah. He wanted to show her the
of the settings without giving her his actual keys. He created .env.development.example API_KEY=YOUR_KEY_HERE DB_NAME=test_db He hit save. He typed git commit -m "added env example" Suddenly, he froze. His heart hammered against his ribs. He had renamed his actual .env.development .env.development.example
by mistake, and then he’d committed it. He hadn't just shared the structure; he’d just pushed his real, live, $100-a-day API key to a public repository for the world to see. He scrambled. His fingers flew across the keyboard: git rm --cached git push --force
. In the world of development, a secret leaked for even a second is a secret stolen by bots that crawl the web every millisecond.
Elias sat in the dark, sweating. He checked his OpenAI dashboard. No usage spikes. He’d caught it. He immediately rotated the key, generating a new string of gibberish, and pasted it back into a freshly created, properly ignored .env.development
He closed his laptop. The story of Echo would continue tomorrow, but for tonight, the keeper of secrets had learned that even in "development," one wrong click can turn a draft into a disaster. technical guide on how to set up these files safely, or perhaps another short story about a different part of the coding world? Custom Gatsby Blog Publishing Workflow | by Ed Pike 17 Apr 2021 —
file is a plain-text configuration file used by developers to store environment variables
specifically for a local or development environment. It allows you to run your application locally with settings (like database URLs or API keys) that differ from those used in production. .env.development Environment Specificity
: It prevents you from accidentally using production data (like a live customer database) while testing new features. Automation : Modern tools like Create React App Create an
automatically load this specific file when you run commands like npm run dev
: By keeping sensitive credentials in a separate file, you can ensure they aren't hardcoded into your source code. Key Usage Guidelines Variable Prefixing
: Many frameworks require variables to have a specific prefix to be accessible in the browser (e.g., for Vite or REACT_APP_ for Create React App). File Priority : Most systems follow a specific "load order." For example, .env.development.local will usually override settings found in .env.development .gitignore .env.development
files containing real secrets to version control systems like GitHub. Instead, provide a .env.example .env.sample
file with the keys but no values so other developers know what they need to set up. Common File Structure An example .env.development file might look like this:
# Specific to development environment PORT=3000 DB_URL=mongodb://localhost:27017/dev_db API_KEY=dev_secret_key_123 VITE_ANALYTICS_ID=UA-DEV-999 Use code with caution. Copied to clipboard Advanced Considerations Build-time vs. Run-time
: In frontend frameworks, these variables are often "inlined" during the build process, meaning they are baked into the JavaScript code. Local Overrides
: If you have specific settings just for your machine (like a different port), use a .env.development.local file, which should also be ignored by Git. sample research structure or more technical details on how specific frameworks like handle these files? How to secure your web applications (Part 1) — CPAS 3
Never store real production secrets in .env.development.
Because .env.development might be committed to the repository (depending on your team’s policy), it should only contain safe-for-public dev defaults. If you use Docker for local development, you can bridge your
echo "API_BASE=http://localhost:9999" >> .env.development.local
Use python-dotenv or django-environ.
Create settings.py:
import environ env = environ.Env() environ.Env.read_env(overwrite=True)
if env('ENVIRONMENT') == 'development': DEBUG = True DATABASES['default'] = env.db('DEV_DATABASE_URL')
Your .env.development:
ENVIRONMENT=development
DEV_DATABASE_URL=sqlite:///db.sqlite3
SECRET_KEY=dev-key-not-for-production
While .env files are incredibly useful, they come with specific responsibilities.
1. The Golden Rule: Never Commit Secrets
The most critical rule of environment files is that they should never be committed to version control (like Git). A .env.development file often contains sensitive information, such as database passwords or API keys. Even though these are "development" keys, leaking them can still pose a security risk.
You must add .env.development to your .gitignore file. This ensures that your secrets stay on your local machine and are not pushed to GitHub or Bitbucket for the world to see.
2. Use a Template File
Since the actual .env.development file is ignored by Git, how do new team members know what variables to set? The solution is to create a commit-safe template file, usually named .env.development.example. This file contains the keys but dummy or empty values. When a new developer clones the project, they copy the example file, rename it to .env.development, and fill in their actual credentials.
3. Validation
It is good practice to validate that the required environment variables are present when the application starts. If DB_HOST is missing, the app should crash immediately with a clear error message, rather than failing mysteriously later on when it tries to run a query.
Imagine every time you run npm run dev, your code sends a request to a paid third-party API (like Twilio or OpenAI). You would burn through your budget in an afternoon. The .env.development file allows you to substitute real APIs with mock endpoints or local sandboxes.
# .env.production
PAYMENT_GATEWAY=https://api.stripe.com/v1