An even more secure way to store the variables is to do it as CLI variables using the set command.
No, it's not. For one, the command doesn't really store them anywhere persistent; and the other, more important thing about actual environment variables is that they're the complete opposite of secure storage. Their entire functionality is based around every process getting a free copy of all environment variables – if you were to use e.g. setx
on Windows to make the variables persist, then literally every app or tool you ran would automatically get a copy thereafter, whether it asked for them or not.
When you see .env
files being used, typically they're either loaded only into the webapp's environment specifically, or even not used as environment variables at all (only mimicking the familiar API but actually loading the variables into a plain old dict/array). In the former case, the variables would still be available to programs spawned directly by the webapp, but never made available to your regular SSH CLI – despite still being called "environment variables", that's not the intended usage.
(The app itself of course still has access to them – it needs to know the API key in order to use the API, after all, so that's unavoidable. Follow recommended programming practices to make it less likely that an attacker would find a way to run that printenv
; e.g. don't put external input like filenames directly into commands.
Depending on what APIs you're using, it might be possible to split your app in two – sort of like microservices – so that the frontend wouldn't be directly accessing the API but would always go through another service that knows the API key and only allows the frontend to do very specific tasks.)