Setting Variables
Environment variables let you store configuration and secrets separately from your code. Set them from the dashboard or via the AI assistant.
From the Dashboard
- Go to Dashboard → Sites → [Your Site] → Environment
- Click Add Variable
- Enter the key and value
- Click Save
- Redeploy your site for changes to take effect
From the AI Assistant
"Set DATABASE_URL to postgresql://user:pass@host:5432/db on my-site"
"Add env var NEXT_PUBLIC_API_URL=https://api.example.com to my-app"
"Show me all env vars on my-site"From the API
PATCH /api/sites/:id
{
"envVariables": [
{ "key": "DATABASE_URL", "value": "postgresql://..." },
{ "key": "SECRET_KEY", "value": "my-secret" }
]
}Build vs Runtime Variables
Understanding when variables are available is crucial for correct configuration:
| Type | Available During | Use Case |
|---|---|---|
| Build-time | Build process only | API keys for static generation, build flags |
| Runtime | Application execution | Database URLs, secrets, dynamic config |
| Both | Build + Runtime | Most common — available everywhere |
By default, all variables on Hostwares are available at both build and runtime. For Next.js apps:
NEXT_PUBLIC_*variables are embedded in the client bundle at build time- Other variables are only available server-side at runtime
- Changing
NEXT_PUBLIC_*variables requires a redeploy
Encryption & Security
All environment variables are encrypted at rest using AES-256 encryption. Security measures include:
- Encrypted storage — Variables are encrypted before being stored in the database
- Access control — Only the site owner and admins can view/edit variables
- Masked display — Values are hidden in the UI by default (click to reveal)
- Audit logging — All variable changes are logged with timestamps
- No exposure in logs — Variables are never printed in build or deployment logs
Bulk Operations
For managing multiple variables at once:
Paste from .env file
Click Import from .env in the dashboard and paste your entire .env file contents:
DATABASE_URL=postgresql://user:pass@host:5432/db
REDIS_URL=redis://localhost:6379
SECRET_KEY=my-super-secret-key
NODE_ENV=productionExport variables
Click Export to download your variables as a .env file (values will be decrypted).
Reserved Variables
The following variables are automatically set by Hostwares and cannot be overridden:
| Variable | Value | Description |
|---|---|---|
PORT | Auto-assigned | The port your app should listen on |
HOSTNAME | 0.0.0.0 | Bind address for the container |
NODE_ENV | production | Set to production by default |
Best Practices
- Never commit secrets to Git — Use environment variables for all sensitive data
- Use descriptive names —
STRIPE_SECRET_KEYis better thanKEY1 - Separate environments — Use different values for staging vs production
- Rotate secrets regularly — Update API keys and passwords periodically
- Minimize scope — Only set variables that the specific site needs
- Document variables — Keep a
.env.examplein your repo with placeholder values
Managing via AI
The AI assistant can help manage your environment variables efficiently:
"List all env vars on my-site"
"Update DATABASE_URL on my-site to postgres://new-host:5432/db"
"Delete the OLD_API_KEY variable from my-app"
"Copy all env vars from staging-site to production-site"The AI will ask for confirmation before modifying or deleting variables, as these are considered sensitive actions.