Do you leave dotenv file in the server? Or delete it?

Question

I'm building a flask application and use dotenv file to switch some variables up to environment, such as production, development, and testing.

AFAIK dotenv is mainly used for security purpose, so should I delete dotenv file from the server once I started to run the application?
If so, when the application is down I would need to pull the dotenv from somewhere, re-run the application, and then delete the file again.

It's not likely to be a good idea to leave dotenv file in the server,
but the above sounds a little bit annoying from an operation perspective.

What is the best practice?

Answer 1

The correct way to protect this file is with UNIX file perms.

chmod 600 .env

Then check the perms look correct with ls -l .env:

-rw-------  1 appuser somegroup  0 Oct 18 01:23 .env

Anyone who has shell access with this user account, could read the file, but could also use the set command to view all environment variables. Taking the above step prevents other system users from reading the file.

The security aspect of dotenv is that it prevents you hard-coding secrets into your .py files which would result in them being committed to source control.