An environment variable is a named configuration value stored outside of an application's source code, made available to the application at runtime by the operating system or hosting environment. Rather than hardcoding values like database connection strings, API keys, or feature flags directly into code, developers place them in environment variables so that the same codebase can behave differently depending on where it is running.
Why Environment Variables Matter
The core problem environment variables solve is the separation of configuration from code. A web application typically runs in multiple contexts: a local development machine, a staging server, and a production environment. Each context requires different settings. The database a developer connects to locally should not be the same one serving real users in production. By reading these values from the environment rather than from the code itself, the application adapts to its surroundings without any changes to the codebase.
Security is an equally important motivation. Sensitive values such as API secrets, encryption keys, and third-party service credentials should never be committed to a version control system like Git. If a secret is embedded in source code and the repository is ever made public or is compromised, that secret is exposed. Environment variables keep sensitive configuration out of the codebase entirely, reducing the risk of accidental exposure.
How They Work in Practice
In most web development workflows, environment variables are defined in the deployment environment itself, whether that is a cloud platform like AWS, Vercel, or Heroku, a containerized setup using Docker, or a CI/CD pipeline. For local development, a file named .env is a common convention. This file lists key-value pairs such as DATABASE_URL=postgres://localhost/myapp and is loaded by the application on startup, often through a library. The .env file is typically listed in .gitignore to ensure it is never committed to source control.
Frameworks and runtimes expose environment variables through a standard interface. In Node.js, for example, they are accessible via process.env. In Python, the os.environ dictionary serves the same purpose. The application code references the variable by name, and the actual value is supplied by the environment at runtime.
Environment Variables and Deployment
In modern deployment and CI/CD workflows, managing environment variables is a first-class concern. Platforms provide secure vaults or settings panels where variables can be stored and injected into running processes without ever appearing in logs or repositories. Some teams use dedicated secrets management tools such as HashiCorp Vault or AWS Secrets Manager for more granular control over who and what can access sensitive values.
Understanding environment variables is foundational for anyone working with web application deployment. They represent the standard mechanism by which applications remain portable, secure, and configurable across the full range of environments they encounter throughout their lifecycle.