Best Practices

Environment Variables Best Practices for Cloud Apps

Remoud Team · 5 min read · 2026-02-10

Environment variables separate secrets from code. Here are the best practices every developer should follow.

Common Env Vars

PORT=3000
DATABASE_URL=mongodb+srv://user:pass@cluster/db
API_KEY=sk_live_abc123
NODE_ENV=production
SESSION_SECRET=random-32-char-string

Best Practices

1. Never Commit Secrets

Add .env to .gitignore. Use .env.example for docs.

2. Different Values Per Environment

Dev, staging, production should have separate credentials.

3. Validate on Startup

const required = ['DATABASE_URL', 'SESSION_SECRET'];
for (const key of required) {
    if (!process.env[key]) {
        console.error('Missing: ' + key);
        process.exit(1);
    }
}

4. Rotate Regularly

Change secrets periodically, especially when team members leave.

On Remoud

Encrypted at rest (AES-256-GCM)
Injected at runtime
Bulk edit support
Available in web terminal

Ready to deploy?

Get your app live in seconds with Remoud. Free tier available.

Start deploying for free →