Stop Hardcoding Secrets: Environment Variables Best Practices in 2026

I've reviewed hundreds of GitHub repos. The #1 security mistake? Hardcoded secrets. Here's how to handle environment variables properly in 2026. The Problem // DO NOT DO THIS const db = mysql . connect ({ host : ' production-db.example.com ' , password : ' super_secret_password_123 ' }); This code gets committed, pushed, and now your database password is public forever (yes, even if you delete the commit — git history remembers). The Solution: .env Files + Environment Variables Step 1: Create a .env file DATABASE_URL = postgres://user:pass@host:5432/mydb API_KEY = sk_live_abc123 JWT_SECRET = your-256-bit-secret NODE_ENV = development Step 2: Load it in your code Node.js: npm install dotenv require ( ' dotenv ' ). config (); const db = mysql . connect ({ host : process . env . DATABASE_HOST , password : process . env . DATABASE_PASSWORD }); Python: pip install python-dotenv from dotenv import load_dotenv import os load_dotenv () db_password = os . getenv ( ' DATABASE_PASSWORD ' ) Step 3