You're currently hard-coding config and secrets into your Node.js application, which poses a security risk as any developer with code access can potentially view sensitive information such as production database credentials and API keys. This is a common issue that many developers face, but fortunately, there are more secure alternatives available. Environment variables are considered the best way to configure applications due to their benefits of not leaking secrets into source code, allowing for deployment in any environment without code changes, and enabling application portability across different environments and platforms. Using environment variables allows you to set specific values such as database credentials, API keys, and hostnames dynamically, making it easier to manage configurations and secrets. The process.env object is created when the Node.js application starts or a script is run, and accessing an environment variable from this object requires careful consideration of parsing and using non-string types. To handle missing required environment variables, you can use the assert module's ok method or design your own solution. Avoiding default values for environment variables is recommended as it provides a single source of truth for app config and secret values, making debugging easier. When setting environment variables in Node.js, ensure to convert non-string values to strings first, and be aware that changes made to environment variables in the parent process do not affect the child process. Finally, using .env files is not recommended due to security risks and lack of standardization, and instead, consider using an environment variable manager like Doppler for managing config and secrets.