Environment Configuration
Vite env vars use a VITE_ prefix per environment — and never hold secrets.
Vite loads environment variables from .env files and exposes only those prefixed with VITE_ to client code via import.meta.env. You keep a file per mode — .env.development and .env.production — so the same code points at different backends (http://localhost:8080/api in dev, https://api.dice.zaggle.in/api in prod) without conditionals.
The single most important rule: never put secrets in frontend env vars. Anything prefixed VITE_ is inlined into the JavaScript bundle at build time, so it ships to every visitor in plain text. A VITE_SECRET_KEY is readable by anyone who opens DevTools. Secrets (API keys, signing secrets) must live on the backend; the frontend only ever holds public configuration like API base URLs and project IDs.
Vite's import.meta.env is the frontend analog of Spring's @Value / application-{profile}.properties — you swap config per environment without touching code. The crucial difference: backend config files stay on the server, but anything you expose to the frontend bundle is effectively public, like committing a property file to a public repo.
- Only VITE_-prefixed variables reach the client; everything else stays build-time only.
- VITE_ values are inlined into the bundle at build — they are NOT runtime secrets and are visible to anyone.
- Keep one .env file per mode (.env.development, .env.production) so the same code targets different backends.
Worked Code
// .env files (Vite uses VITE_ prefix)
// .env.development
VITE_API_URL=http://localhost:8080/api
VITE_FIREBASE_PROJECT_ID=dice-dev
// .env.production
VITE_API_URL=https://api.dice.zaggle.in/api
VITE_FIREBASE_PROJECT_ID=dice-prod// Access in code
const apiUrl = import.meta.env.VITE_API_URL;
// NEVER put secrets in frontend env vars — they're in the bundle!
// VITE_SECRET_KEY=abc123 <- anyone can read thisInterview-Ready Q&A
Only variables prefixed with VITE_ are exposed via import.meta.env; everything else is available only at build/config time and is stripped from client code. This prefix is a deliberate guardrail so you don't accidentally leak server-only variables into the bundle.
- 1Only VITE_-prefixed vars reach the client; access them via import.meta.env.
- 2VITE_ vars are inlined into the bundle at build time — never store secrets there.
- 3One .env file per mode lets identical code target dev vs prod backends.