Secrets Management: From .env Files to Production Vaults

Your database password is in a .env file committed to git. Everyone who has ever cloned the repo has your production credentials. The Maturity Ladder Level 0 : Hardcoded in source. Never do this. Level 1 : .env files (gitignored). Fine for development, not for production. Level 2 : Platform secrets (AWS Parameter Store, Vercel env vars, Railway secrets). Encrypted at rest, access-controlled. Level 3 : Secret managers (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager). Rotation, audit logs, dynamic secrets. Validating Secrets at Startup Fail fast if required secrets are missing: const requiredSecrets = [ " DATABASE_URL " , " REDIS_URL " , " JWT_SECRET " , " STRIPE_SECRET_KEY " ] as const ; function validateSecrets (): void { const missing = requiredSecrets . filter (( s ) => \ ! process . env [ s ]); if ( missing . length > 0 ) { throw new Error ( `Missing required secrets: ${ missing . join ( " , " )} ` ); } } Secret Rotation Static secrets are time bombs. Rotate them before th