The problem with dotenv that nobody talks about, and how I fixed it with kq-config. The Problem Every Node.js project I've worked on has the same setup: DB_PASS = supersecret SECRET_KEY = myjwtsecret API_URL = http://localhost:3000 THEME = dark PORT = 3000 Enter fullscreen mode Exit fullscreen mode One .env file. Everything in one place. Server secrets, client settings, database passwords, all mixed together. This works fine until we think: who can see what? Your frontend code runs process.env.API_URL , works fine. But what stops it from also reading process.env.DB_PASS ? In most setups, nothing . The same object holds everything. I kept thinking: why do we give everyone access to everything? The Idea What if your config file had separate blocks: one for the server, one for the client, and each side could only read its own? config.kq ├── ::shared → merged into both ├── ::server → server only └── ::client → client only Enter fullscreen mode Exit fullscreen mode Server reads ::server . Client reads ::client .…