985: Stop putting secrets in .env
Syntax - Tasty Web Development Treats
Wes Bos
4.9 • 1.2K Ratings
🗓️ 9 March 2026
⏱️ 47 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Welcome to Syntax. If you have a.env file sitting on your computer, this is the episode for you |
| 0:06.1 | because we're going to talk to you about why you shouldn't be doing that. My name is Wes Boss. And with us today, |
| 0:12.2 | we've got Theo Ephraim and Phil Miller. They work on Varlock, which is a solution, a library that |
| 0:20.0 | will help you inject your secrets into your app and |
| 0:24.0 | into your coding agents. But we also just want to talk about just like, why is everyone just |
| 0:29.6 | putting like text files on their computer with all of their secrets when we have all of this |
| 0:35.4 | like logging into Notion for me is like a ritual or I have to |
| 0:40.8 | like use a thousand things and there's beep-pop, bump, pin codes and everything. And then we just |
| 0:45.8 | put the like database string in a dot env file. So welcome guys. Thanks a lot for coming on. Yeah, |
| 0:52.0 | thanks for having us. Thanks for having us. So let's start there. |
| 0:55.2 | Yeah. What's wrong with that EMV files? Yeah, I mean, why don't we first just talk about like, |
| 1:00.8 | you know, you have these files sitting there. Often you're putting plain tech secrets in there. |
| 1:05.6 | And, you know, maybe you don't have any like super sensitive production secrets in there, |
| 1:10.1 | but you still probably have |
| 1:11.0 | some or you know maybe you needed to run some script that connected to production so you put it in |
| 1:15.2 | there once and you know you forget that the file's even there and you know especially now in the |
| 1:20.2 | era of AI coding agents where they're just reading all your files slurping it all up sending it off |
| 1:25.3 | to some server like the only real safe way to ensure that they're going to be not sent up to, you know, Open AI is to get them out of plain text altogether. |
| 1:35.1 | To go back a bit to answer your question, I think the reason they're sitting in plain text is because every tutorial on the internet, the first step is put the secret in plain text in a doty-end file and then do the rest of the tutorial. |
| 1:50.4 | So everyone is still telling people to do that even though we know that it's wrong. |
| 1:55.1 | And then we copy and paste those files on Slack, right? |
| 1:57.9 | I think that even the harder challenge is for the most part that most people |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from Wes Bos, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of Wes Bos and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.