<center>
![Security image](https://conectica.com/wp-content/uploads/2012/10/peor-password.jpg)
<br>
[*Source*](https://conectica.com/2014/01/20/123456-ya-es-el-peor-password-del-2013/#!sJ1Qg)
</center>

When we are working on a project, mostly working on a server or back end for an application, we need to use credentials. Credentials to establish a connection to our databases, API keys, users and password, and the list goes on.  For obvious security reasons, commit these changes to our repository, even when it's a private one, is never recommended because we are exposing our credentials in internet. 

In this tutorial, we will learn how to use our credentials securely with the help of environment variables and the Javascript library [**dotenv**](https://www.npmjs.com/package/dotenv).

____
## Requirements
 * An NodeJS / Express server.
 * A repository for our project. Here we'll use GIT.
 * NPM package manager.

___
## Set up
We can create an Express application easily with the help of the [**Express application generator**](https://expressjs.com/en/starter/generator.html).  *Note: maybe you'll need sudo for the global installation, or not.*

<center>![Express-generator installation](https://i.imgur.com/EgI75kv.png)</center>

After installing this package globally with NPM, we can create our application with the following command:  

<center>![Application creation](https://i.imgur.com/TKWiwKQ.png)</center>

This command will create a folder with the name we choose and create all the structure we need in order to run our Express application.  As it says, we need to go into the folder and run `npm install` command to install all the dependencies we need to execute the server. There might be some warning we can just ignore. 

<center>![npm install](https://i.imgur.com/GevgJwi.png)</center>

Now, we need to install `dotenv` package via NPM.

<center>![dotenv installation](https://i.imgur.com/4bYnUzo.png)</center>

And finally, we need to set up a repository for our project. As I said before, I'm going to use GIT. 

<center>![git init](https://i.imgur.com/CjJqDvZ.png)</center>

Now we need to create an additional file that we will call `index.js`, where we'll set up the port where our application will listen the requests and also start our server.

<center>![server creation](https://i.imgur.com/RLsk3Vt.png)</center>

If everything went as expected, we can now execute `node index.js` in our terminal and when we go to the address `localhost:5000/` in our browser, you'll see the following:

<center>![starting server](https://i.imgur.com/7uleb1N.png)</center>

___
## Configuring `dotenv`

Now that everything's working, we can start to configure `dotenv`. 

First, we need to create a file called `.env` in the root of our project. Here is where we are going to store all of our environment variables we need to used. In this file, we are going to store our variables like this `VAR=VALUE`.

<center>![.env file](https://i.imgur.com/3WdFzCl.png)</center>

We'll be working on the index route that we can find in `./routes/index.js`. Here, we'll need to import or require `dotenv` package.  We will use the views that our Express application created by default, but we can use our environment variables wherever we need them.  I'm going to pass the content of my environment variables to the view via [ES6 Template Strings](https://developers.google.com/web/updates/2015/01/ES6-Template-Strings), so they will be rendered in the title of `index` view. Also, I'm going to print them in the console, so everytime I access `/` in the browser, their content will be printed in the terminal. Remember that **this is not the purpose of environment variables** but only an explanation of the use of dotenv package. 

<center>![index route file](https://i.imgur.com/GvNoAso.png)</center>

After saving the changes, we restart our server in the terminal, and then we execute it again to see the changes. Now, we'll access `http://localhost:5000/` again to see the changes. 

<center>![accessing index route](https://i.imgur.com/ePmbgfC.png)</center>

And that's it. That's how we set up our custom environment variables and use them in our NodeJS / Express project.

___
## Final Step: Securing our .env file
We just configure `dotenv` package to read our environment variables from the `.env` file. This will likely contain a lot of information that we don't want to share, or even commit in our repository. So, in order to keep our `.env` file away from our repository and our commits, we need to exclude it from our repository using a **[`.gitignore` file](https://git-scm.com/docs/gitignore)**. Here, we will write all the names of the directories and files that we don't want to commit to our repository.

We simply need to create a file called `.gitignore` in the root of our project (or wherever our repository was initialized) and add the following content to avoid committing our `.env` file. 

<center>![git ignore files](https://i.imgur.com/eSP7Xz0.png)</center>

So, if we run the command `git status` in the terminal, we'll see that both `.env` file and `/node_modules` directory are not being listed.

<center>![git status](https://i.imgur.com/2DM3JHN.png)</center>

So, that's it. We've just learned how to work securely with our environment variables and credentials.

<center>
#### All the screenshots were taken by me
##### Leave any comments, suggestions and questions in the comments section 
</center>

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@jfuenmayor96/work-securely-with-credentials-in-expressjs-with-dotenv">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>