Syntax - Tasty Web Development Treats 985: Stop putting secrets in .env
86 snips
Mar 9, 2026 
Phil Miller, Varlock contributor who focuses on secrets management and integrations. Theo Ephraim, engineer building schema-driven env tooling for better DX and security. They discuss why plaintext .env files are risky. They introduce Varlock’s schema, validation, plugins for secrets providers, integrations across frameworks and CI, and ways to prevent accidental leaks and support AI workflows.
AI Snips
Chapters
Transcript
Episode notes
Why Plain .env Files Are A Major Risk
- .env files are unsafe because tutorials normalize storing plain-text secrets and developers copy them around without thinking.
- Theo and Phil highlight AI agents and forgotten copy-pastes as attack vectors that make local .env files high-risk.
When 1Password CLI Slowed Onboarding To The Point Of Copy Paste
- Wes describes a real onboarding hiccup where Serge spent half a day trying to inject 1Password CLI secrets and resorted to copy-pasting into .env.
- That story illustrates why developers choose the path of least resistance over secure workflows.
Replace .env Example Files With A Declarative Schema
- Use a single declarative schema file that combines schema, docs, and value sources instead of separate .env and .env.example files.
- Varlock uses JSDoc-style decorators in a committed .n file to mark required, sensitive, and typed vars and fetch from plugins like 1Password or AWS.