Sal Ferrarello
You are here: Home / Dev Tips / Should I add .env to .gitignore?

Should I add .env to .gitignore?

Last updated on by

The short answer is, “yes”. You should use your .gitignore file to ignore the .env file.

Why Ignore .env

The .env file is typically used for the configuration of your application, which often includes sensitive information like database credentials and API keys. Even if your Git repo is not public, it is a best practice to exclude this information from your repository (the idea being that sensitive configuration information should have higher security than source code).

How to Exclude .env

You can exclude your .env file by adding the following line to your .gitignore file.

.env

In my case, I like to exclude all files that start with a period with exceptions (e.g. .gitignore is an exception).

Warning: If your .env is already part of your Git repository, adding it to .gitignore will not remove it. In this case, you’ll also need to tell Git to stop tracking .env, which you can do with

git rm --cached .env

This will delete .env from your repo, but leave it on your local machine (and now your .gitignore will cause it to be ignored).

Damage Control

If your .env was checked into your repo, you’ll want to change any credentials that appear in it. This isn’t a lot of fun however even though you are no longer tracking your .env file, it is still part of your Git history and can be retrieved.

You can take steps to remove it from your Git repo entirely but this comes with a host of problems and still does not guarantee there is not a copy of the .env file somewhere.

If sensitive information gets added to a Git repository, it should be changed.

Include .env.example

Because it is helpful to have a template for your .env file, you’ll often see an .env.example file. This file contains the same structure as your .env file but all of the credentials and API keys have been removed. This helps speed up the process of setting up your project.

Sal Ferrarello
Sal Ferrarello (@salcode)
Sal is a PHP developer with a focus on the WordPress platform. He is a conference speaker with a background including Piano Player, Radio DJ, Magician/Juggler, Beach Photographer, and High School Math Teacher. Sal can be found professionally at WebDevStudios, where he works as a senior backend engineer.

Share this post:

Share on LinkedInShare on Reddit

Reader Interactions

Comments

  2. Mario Roberto says

    Justo la información que necesitaba, en Python con Flask se incorpora el .venv para centralizar algunas credenciales de base de datos y claves de API, y ya tuve un bloqueo por parte de un proveedor de API por detectar que mi API KEY estaba comprometido en mi repositorio de GitHub.

    Si no funciona y sigue rastreando el .venv, hay que forzar el borrado de la cache de la siguiente manera:

    git rm –cached -f .env

    Luego hacer commit normal y listo…

    Gracias por la ayuda!

    English Translation

    Just the information I needed, in Python with Flask the .venv is built in to centralize some database credentials and API keys, and I already had a block from an API provider for detecting that my API KEY was compromised in my GitHub repository.

    If it doesn’t work and it keeps tracking the .venv, you have to force clear the cache as follows:

    git rm –cached -f .env

    Then do a normal commit and that’s it…

    Thanks for the help!

    Reply

Leave a Reply

Your email address will not be published.