Environment Variables Security

The cluster discusses the security risks, best practices, and drawbacks of using environment variables in programming, including mutability issues with setenv/getenv, recommendations for read-only access or config files, and debates on their appropriateness versus alternatives.

➡️ Stable 0.7x Security

2,282

Comments

Years Active

Top Authors

#4995

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

2014

197

2015

103

2016

2017

108

2018

2019

2020

132

2021

215

2022

157

2023

414

2024

199

2025

385

2026

Top Contributors

kazinator (26) cryptonector (15) quotemstr (12) eqvinox (12) kelnos (9)

Keywords

EDITOR PATH PS1 yglu.io PYTHONPATH OS PR API E.g UI environment variables variables env environment variable libc command perl calls environmental

Sample Comments

chrissoundz • Oct 12, 2023 • View on HN

How are environment variables insecure?

baud147258 • Apr 11, 2018 • View on HN

Environment variables are not the problem. It's environment variables with too much power and the possibility to change them remotely.

01HNNWZ0MV43FF • Jan 22, 2025 • View on HN

Env vars are good if you treat them as read-only within the process

frollogaston • Jul 3, 2025 • View on HN

Abusing? I thought this is exactly what envvars are for.

happymellon • Oct 13, 2025 • View on HN

You do know about environmental variables?

jcotton42 • Jan 22, 2025 • View on HN

It's not just libc, it's any C or C++ library that calls getenv or setenv.

steveklabnik • Aug 11, 2013 • View on HN

How would this be an improvement over setting environment variables?

jsudhams • Oct 26, 2015 • View on HN

Isn't it bad? Given that only admin/power user can change environment variable, this will be a issue in shared hosting right?

saagarjha • Aug 8, 2022 • View on HN

Yeah, it’s easy until someone calls setenv ;)

zwkrt • Dec 22, 2019 • View on HN

You could make a PR, it looks like the language doesn’t have environment variable access!