III. Config

Store config in the environment

“An app’s config is everything that is likely to vary between deploys (staging, production, developer environments).” – 12factor.net

When to use

Always. Never hardcode credentials.

Why it matters

  • Security: Don’t commit passwords to Git.
  • flexibility: Change database targets without rewriting code.

Signs of Violation

  • config/database.yml committed with passwords.
  • constants like const API_URL = "http://localhost:3000" in the code.

Explanation

Problem

If you hardcode “production-db.com”, you can’t run the app locally without changing code. If you commit passwords, you get hacked.

Solution

Use Environment Variables (dotenv, ENV). The code stays the same; the environment provides the variables.

Real world analogy

A master key system. The lock (App) is the same, but the Key (Env Var) you insert determines if you have access to the Penthouse (Prod) or the Basement (Dev).

Pros and Cons

Pros Cons
  • Security
  • Portability
    		•
  • Managing .env files can be messy in complex setups
    		•

    Comparison

    • Config Files: Traditional config files are checked into repo. 12-Factor says NO to checked-in secrets.

    Code example

    Typescript

    Bad (Violation)

    Good (Adherence)

    PHP

    Bad (Violation)

    Good (Adherence)