How to keep your secrets off GitHub

How to keep your secrets off GitHub

Using Node.js and DotEnv

GitHub makes a developer’s life so much easier - you can use it to collaborate, track changes, and backup your files securely with ease. If you are not careful you can also expose pieces of your code that could put all your work at risk.

For example, if you are using MongoDB as your database you will need to store your MongoDB access string in your code. If you push your code to GitHub with that access string visible any person who sees your project can then access your database and monkey with it.

“A better way”

The first step to keep your secrets safe is to use environment variables. Node supports these out of the box through the “env" object that is itself a property of the “process” global object. Environment variables are typically written in all caps. So an example would be:

DB_STRING = mongodb+srv://

This allows us to include our secret information throughout our code without actually showing it.

“But the variable has to be declared somewhere, right?”

Correct, dear reader. The environment variables do have to be declared somewhere. We will do that in a special folder called “.env”. This folder will eventually load all environmental variables within it automatically into the “process.env” object. An npm package called “dotenv” drives that process so we need to install it.

You need to already have Node.js and npm installed for this to work. You can find downloads and instructions for those here.

Once you have Node and npm installed, simply use the following terminal command to install “dotenv”:

npm i dotenv

Then require and configure “dotenv” in your app as such:


Once this is installed, go into your file structure and create a file called “.env” either at the top level or in your config folder (in which case you would need to set the appropriate path for its location in your code: "require(‘dotenv’).config()"). Open this file and plop in your environment variables.

Here we have the DB_STRING from earlier as well as the PORT our server is running on locally:

DB_STRING = mongodb+srv://

PORT = 2121

You may notice there are no quotation marks - "dotenv" automatically takes care of those.

“One last step”

There is only one final step: set up a “.gitignore” folder. Like the name suggests, GitHub will ignore anything referenced in this folder and not upload it to your repo.

Go back to into your file structure and at the top level create a file called “.gitignore”. Then add in your “.env” folder like such:


You can also add "node_modules" and any other large packages that can be reinstalled locally. That saves the time it takes to push your code to GitHub as well as your storage there.

“That’s it, folks!”

Thanks for spending a few minutes with me exploring this topic. I hope it was helpful and you now feel sure of how to guard your secrets. Feel free to ask any questions you have in the comments and I will do my best to address them!