How should backend apps use environment variables and secrets?

Configuration that changes per environment (ports, database URLs, feature flags) is usually read from the environment, not hard-coded. Secrets (API keys, signing keys) should come from a secret store, vault, or managed platform in production - not from source control. A `.env` file is common in local dev and must stay out of the repo; use `.env.example` for names only. Rotation, least privilege, and audit logs are the security story beyond “we used a variable.”

# .env (local, not committed)
DATABASE_URL=postgres://localhost:5432/app
# production: set the same name in the host or k8s Secret

Start simple: try this concept in a tiny project before moving to advanced tools.