--- issue: 101 title: "Backend: config loads .env.development unconditionally regardless of NODE_ENV" severity: medium domain: Security labels: [security, backend, configuration] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: config loads .env.development unconditionally regardless of NODE_ENV **Severity:** medium **Domain:** Security **Labels:** security, backend, configuration ## Description `backend/src/shared/config/index.ts:4` loads `.env.development` unconditionally. In a production environment where `NODE_ENV=production`, this still reads and applies `.env.development` values, overriding injected production secrets with development values. Paired with `.dockerignore` whitelisting this file (ISSUE-075), it means dev secrets are active in prod images. ## Options 1. Load `.env.` conditionally, never fall back to dev file in production. 2. Only load dotenv when not in production (rely on injected env in prod). 3. Load env-specific file and fail fast if required vars are missing. ## Recommendation Load the env-file matching `NODE_ENV` (or none in production) and never default to `.env.development`. Pair with ISSUE-075. ## Affected Files - `backend/src/shared/config/index.ts:4` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-49 - [[ISSUE-075-backend-dockerignore-whitelists-env-development-into-prod-image|ISSUE-075]]