Developer Productivity

The End of .env Files: Modern Secrets Management for Frontend Teams

A .env file is a plaintext secret taped to your filesystem. After years of supply-chain attacks targeting leaked env files, the industry is finally adopting real secrets management.

Feature Field Engineering9 min read

A .env file is a plaintext file containing secrets on your filesystem. No encryption, no audit trail, no rotation policy. Leaked .env files account for a measurable share of cloud credential breaches.

Modern secrets management tools Doppler, Infisical, 1Password CLI share a common pattern: secrets live in a central vault injected at runtime. Set dev to doppler run -- next dev. No .env file on disk.

Infisical provides a TypeScript SDK for self-hosted teams. The SDK approach generates typed autocomplete for every secret key.

The DX is better than .env: the first command after cloning is doppler setup, which authenticates and pulls correct variables automatically. No README section explaining which .env.example variables are required.

In CI, doppler run -- build with DOPPLER_TOKEN handles environment scoping automatically. No manual variable mapping.

Migration: 1) Audit current secrets 2) Choose a vault 3) Replace dev script 4) Remove .env files 5) Rotate every old secret 6) Document the one-line setup.

Plaintext secrets on a filesystem were always a bad idea. The tools have caught up to where the secure option is also the simpler one.

Related briefs