Config & Secrets: Keeping Sensitive Keys Out of your Codebase

The Risk of Hardcoded Secrets If your SECRET_KEY or DATABASE_URL is hardcoded in your source code and pushed to GitHub, anyone can find it and compromise your entire system. This is one of the most common security mistakes junior developers make. The Solution : .env Files A .env file stores sensitive values locally. It never gets pushed to GitHub. DATABASE_URL=sqlite:///app.db SECRET_KEY=gdgoc-bowen-secret-key-2026 ALGORITHM=HS256 TOKEN_EXPIRE_HOURS=24 Loading .env in FastAPI from dotenv import load_dotenv import os load_dotenv() DATABASE_URL = os.getenv("DATABASE_URL") SECRET_KEY = os.getenv("SECRET_KEY") ALGORITHM = os.getenv("ALGORITHM") TOKEN_EXPIRE_HOURS = int(os.getenv("TOKEN_EXPIRE_HOURS")) No hardcoded values anywhere in the code. Everything comes from the environment. .env.example : The Documentation .env is never pushed to GitHub but other developers need to know what variables are required. That's what .env.example is for: DATABASE_URL=your_database_url_here SECRET_KEY=your_