Why you shouldn't use ENV variables for secret data (via) I do this all the time, but this article provides a good set of reasons that secrets in environment variables are a bad pattern—even when you know there’s no multi-user access to the host you are deploying to. The biggest problem is that they often get captured by error handling scripts, which may not have the right code in place to redact them. This article suggests using Docker secrets instead, but I’d love to see a comprehensive write-up of other recommended patterns for this that go beyond applications running in Docker.
Recent articles
- Claude Code for web - a new asynchronous coding agent from Anthropic - 20th October 2025
- Getting DeepSeek-OCR working on an NVIDIA Spark via brute force using Claude Code - 20th October 2025
- Claude Skills are awesome, maybe a bigger deal than MCP - 16th October 2025