[{"data":1,"prerenderedAt":418},["ShallowReactive",2],{"blog-prompts/environment-separation":3},{"id":4,"title":5,"body":6,"category":397,"date":398,"dateModified":399,"description":400,"draft":401,"extension":402,"faq":403,"featured":401,"headerVariant":404,"image":403,"keywords":403,"meta":405,"navigation":406,"ogDescription":407,"ogTitle":403,"path":408,"readTime":403,"schemaOrg":409,"schemaType":410,"seo":411,"sitemap":412,"stem":413,"tags":414,"twitterCard":416,"__hash__":417},"blog/blog/prompts/environment-separation.md","Separate Development and Production with AI Prompts",{"type":7,"value":8,"toc":387},"minimark",[9,16,21,24,129,133,136,184,194,198,201,234,238,241,308,317,333,337,340,361,375],[10,11,12],"tldr",{},[13,14,15],"p",{},"Development features in production cause breaches. Debug modes, test credentials, and development APIs should never reach production. Use environment variables, separate databases, and build-time checks to ensure clean separation. These prompts help you audit and fix environment issues.",[17,18,20],"h2",{"id":19},"environment-audit","Environment Audit",[13,22,23],{},"Paste this prompt into your AI assistant to get a full audit of your dev/production separation. You'll get a detailed report covering debug modes, test credentials, exposed endpoints, database connections, logging, and source code exposure.",[25,26,28,31,34],"prompt-box",{"title":27},"Audit Environment Separation",[13,29,30],{},"Audit my application for dev/production separation issues.",[13,32,33],{},"Check for:",[35,36,37,56,70,87,101,115],"ol",{},[38,39,40,41],"li",{},"Debug modes in production:",[42,43,44,47,50,53],"ul",{},[38,45,46],{},"DEBUG=true, NODE_ENV !== 'production'",[38,48,49],{},"Verbose error messages",[38,51,52],{},"Stack traces in responses",[38,54,55],{},"Development middleware (hot reload, etc.)",[38,57,58,59],{},"Test credentials in production:",[42,60,61,64,67],{},[38,62,63],{},"Test API keys",[38,65,66],{},"Default passwords",[38,68,69],{},"Hardcoded tokens",[38,71,72,73],{},"Development endpoints:",[42,74,75,78,81,84],{},[38,76,77],{},"/debug, /test, /dev routes",[38,79,80],{},"GraphQL introspection enabled",[38,82,83],{},"API documentation exposed",[38,85,86],{},"phpinfo(), /env, /.env accessible",[38,88,89,90],{},"Database concerns:",[42,91,92,95,98],{},[38,93,94],{},"Dev database connected in production",[38,96,97],{},"Test data in production database",[38,99,100],{},"Seed data or admin test accounts",[38,102,103,104],{},"Logging:",[42,105,106,109,112],{},[38,107,108],{},"Verbose logging in production",[38,110,111],{},"Sensitive data in logs",[38,113,114],{},"Log files publicly accessible",[38,116,117,118],{},"Source exposure:",[42,119,120,123,126],{},[38,121,122],{},"Source maps in production",[38,124,125],{},".git directory accessible",[38,127,128],{},"Environment files exposed",[17,130,132],{"id":131},"environment-variables","Environment Variables",[13,134,135],{},"Use this prompt to set up a complete environment variable system with proper file structure, gitignore rules, and startup validation using zod or envalid.",[25,137,139,142,145,148,156,168,175,178],{"title":138},"Configure Environment Variables",[13,140,141],{},"Set up proper environment variable handling.",[13,143,144],{},"File structure:\n.env.example     # Template with dummy values (committed)\n.env.local       # Local development (gitignored)\n.env.development # Development defaults (optional)\n.env.production  # Production (set in deployment platform, NOT committed)",[13,146,147],{},".gitignore:\n.env\n.env.local\n.env.production\n.env*.local",[13,149,150,151,155],{},"Validation at startup:\nconst requiredEnvVars = ",[152,153,154],"span",{},"'DATABASE_URL', 'API_KEY', 'JWT_SECRET'",";",[13,157,158,159,162,163,167],{},"for (const envVar of requiredEnvVars) {\nif (!process.env",[152,160,161],{},"envVar",") {\nconsole.error(",[164,165,166],"code",{},"Missing required environment variable: ${envVar}",");\nprocess.exit(1);\n}\n}",[13,169,170,171,174],{},"// Validate NODE_ENV\nconst validEnvs = ",[152,172,173],{},"'development', 'production', 'test'",";\nif (!validEnvs.includes(process.env.NODE_ENV)) {\nconsole.error('Invalid NODE_ENV');\nprocess.exit(1);\n}",[13,176,177],{},"Use a library like envalid or zod for typed validation:\nimport { z } from 'zod';",[13,179,180,181,183],{},"const envSchema = z.object({\nNODE_ENV: z.enum(",[152,182,173],{},"),\nDATABASE_URL: z.string().url(),\nAPI_KEY: z.string().min(1),\n});",[185,186,187],"warning-box",{},[13,188,189,193],{},[190,191,192],"strong",{},"Never commit .env files with real secrets:"," Even if you later remove them, they remain in git history. Use git-secrets or similar tools to prevent accidental commits. Rotate any secrets that were ever committed.",[17,195,197],{"id":196},"conditional-features","Conditional Features",[13,199,200],{},"Copy this prompt to generate environment-aware feature toggles for your app. Your AI will create patterns for dev-only middleware, production security hardening, environment-specific error handling, and build-time dead code elimination.",[25,202,204,207,210,213,216,219,222,225,228,231],{"title":203},"Environment-Specific Features",[13,205,206],{},"Implement environment-specific features safely.",[13,208,209],{},"Pattern for dev-only features:",[13,211,212],{},"const isDev = process.env.NODE_ENV === 'development';\nconst isProd = process.env.NODE_ENV === 'production';",[13,214,215],{},"// Dev-only middleware\nif (isDev) {\napp.use(morgan('dev'));\napp.use('/debug', debugRoutes);\n}",[13,217,218],{},"// Production security\nif (isProd) {\napp.use(helmet());\napp.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));",[13,220,221],{},"// Disable features\napp.disable('x-powered-by');\n}",[13,223,224],{},"// Error handling differs\napp.use((err, req, res, next) => {\nconsole.error(err);",[13,226,227],{},"if (isProd) {\nres.status(500).json({ error: 'Internal server error' });\n} else {\nres.status(500).json({\nerror: err.message,\nstack: err.stack\n});\n}\n});",[13,229,230],{},"// Build-time dead code elimination (webpack/rollup)\nif (process.env.NODE_ENV !== 'production') {\n// This code is removed from production build\nrequire('./devTools');\n}",[13,232,233],{},"Never use environment checks for security-critical features - use proper access control.",[17,235,237],{"id":236},"separate-databases","Separate Databases",[13,239,240],{},"This prompt asks your AI to configure complete database isolation across environments. You'll get environment-specific connection strings, safety checks that prevent accidental production connections, and seed/migration safeguards.",[25,242,244,247,250],{"title":243},"Database Environment Separation",[13,245,246],{},"Ensure development and production databases are completely separate.",[13,248,249],{},"Requirements:",[35,251,252,266,285,291,294],{},[38,253,254,255],{},"Separate database instances:",[42,256,257,260,263],{},[38,258,259],{},"Development: Local or dev server",[38,261,262],{},"Staging: Copy of production structure, no real data",[38,264,265],{},"Production: Production server with real data",[38,267,268,269,274,277,278,282,284],{},"Environment-specific connection strings:",[270,271,273],"h1",{"id":272},"envdevelopment",".env.development",[275,276],"br",{},"DATABASE_URL=postgresql://localhost:5432/myapp_dev",[270,279,281],{"id":280},"envproduction-set-in-platform",".env.production (set in platform)",[275,283],{},"DATABASE_URL=postgresql://prod-server:5432/myapp_prod",[38,286,287,288,290],{},"Prevent accidental production connection:\nconst dbUrl = process.env.DATABASE_URL;",[275,289],{},"if (process.env.NODE_ENV === 'development' &&\ndbUrl.includes('prod')) {\nthrow new Error('Refusing to connect to production database in development');\n}",[38,292,293],{},"Seed data safety:\n// Only run seeds in development\nif (process.env.NODE_ENV === 'production') {\nthrow new Error('Cannot run seeds in production');\n}",[38,295,296,297],{},"Migration safety:",[42,298,299,302,305],{},[38,300,301],{},"Require confirmation for production migrations",[38,303,304],{},"Use separate migration tracking per environment",[38,306,307],{},"Never run destructive migrations in production without backup",[309,310,311],"tip-box",{},[13,312,313,316],{},[190,314,315],{},"Pro tip:"," Use different credentials, different cloud accounts, or at minimum different database names for each environment. Make it physically impossible to accidentally connect dev tools to production data.",[318,319,320,327],"faq-section",{},[321,322,324],"faq-item",{"question":323},"Should staging use production data?",[13,325,326],{},"Ideally no - use anonymized or synthetic data. If you must use production data, ensure it's properly anonymized (PII removed), and staging has the same security controls as production.",[321,328,330],{"question":329},"How do I test production-like conditions safely?",[13,331,332],{},"Use staging environments that mirror production infrastructure but with test data. Load test against staging, not production. Use feature flags to gradually roll out to production users.",[17,334,336],{"id":335},"further-reading","Further Reading",[13,338,339],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[42,341,342,349,355],{},[38,343,344],{},[345,346,348],"a",{"href":347},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[38,350,351],{},[345,352,354],{"href":353},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[38,356,357],{},[345,358,360],{"href":359},"/blog/best-practices/secrets","Secret management best practices",[362,363,364,370],"related-articles",{},[365,366],"related-card",{"description":367,"href":368,"title":369},"Secret management","/blog/prompts/fix-exposed-api-keys","Protect API Keys",[365,371],{"description":372,"href":373,"title":374},"Error message safety","/blog/prompts/add-error-handling","Secure Error Handling",[376,377,380,384],"cta-box",{"href":378,"label":379},"/","Start Free Scan",[17,381,383],{"id":382},"check-your-environment-config","Check Your Environment Config",[13,385,386],{},"Scan for development features accidentally exposed in production.",{"title":388,"searchDepth":389,"depth":389,"links":390},"",2,[391,392,393,394,395,396],{"id":19,"depth":389,"text":20},{"id":131,"depth":389,"text":132},{"id":196,"depth":389,"text":197},{"id":236,"depth":389,"text":237},{"id":335,"depth":389,"text":336},{"id":382,"depth":389,"text":383},"prompts","2026-02-17","2026-03-06","AI prompts to properly separate development and production environments. Prevent accidental production data exposure and configuration mistakes.",false,"md",null,"cyan",{},true,"AI prompts to properly isolate dev and production environments.","/blog/prompts/environment-separation","[object Object]","BlogPosting",{"title":5,"description":400},{"loc":408},"blog/prompts/environment-separation",[415],"Deployment","summary_large_image","q0r_RLzHlbpLQSTpZUqOQf3lxwXtUZ_1MID5eAJ-_UQ",1775843938622]