[robonerd]

Keeping secrets in environmental variables has always seemed dodgy to me. Unless specifically cleared, they get inherited by all child processes. Maybe there are never any child processes in your application, or that could be desired behavior in some circumstances, but generally it seems like asking for trouble.

[toomuchtodo]

Its safety is proportional to your isolation model. Never use env vars for secrets when you’re executing arbitrary code, for example.

[RajT88]

There's also the reverse issue - if they change after your process is started.

Refreshing an environment variable that has changed is (for me) a line I won't cross. Time to write the app a different way, once that becomes a concern.