In almost every framework (especially Next.js), .env.local takes precedence over all other non-specific files. If API_KEY=abc123 is in .env and API_KEY=xyz789 is in .env.local, the application will use xyz789 locally.
This is powerful for testing, but dangerous if you forget which values are active.
If you run your dev environment inside Docker, your local .env.local might not be copied into the container. Use Docker Compose env_file or volume mounts to bridge this gap. .env.local
If you are trying to access a variable in the browser, it must have the framework's public prefix (NEXT_PUBLIC_, VITE_, REACT_APP_). Variables in .env.local without these prefixes are only available on the server/Node side.
.env.local is a local environment file used to store environment variables for a project (usually a Node.js/JavaScript web app). It's intended for machine- or developer-specific secrets and settings that should not be committed to version control. In almost every framework (especially Next
The most critical security control is its inclusion in .gitignore:
# .gitignore entry
.env.local
.env.*.local
Failure to add this entry is a critical vulnerability. Any developer committing .env.local to a repository exposes all local API keys, database credentials, and service tokens. If you run your dev environment inside Docker, your local
.env.local is a configuration file used primarily in JavaScript frameworks (like Next.js, React, Vue, and Nuxt.js) and other modern web stacks. It belongs to the family of "dotenv" files, which are used to store environment variables.
Its specific purpose is defined by its name: local.
While you might have a generic .env file for defaults or a .env.production file for build outputs, .env.local is intended for environment variables that are specific to your individual machine and should never be shared with the team or committed to version control.