What is the main reason to manage environment variables and secrets securely in deployments?

• A. Secrets protect credentials and configuration from exposure; use secrets management, vaults, and avoid hardcoding values.
• B. Embedding credentials in the source code simplifies deployment.
• C. Secrets cannot impact security if stored in plain text.
• D. Secrets only matter in development, not in production.

Answer: (A)

Safely handling environment variables and secrets is essential because credentials and configuration contain access to systems and data, and they must not be exposed. Secrets management tools and vaults protect these values by encrypting them at rest, enforcing strict access controls, providing audit trails, and enabling rotation. When secrets are baked into code or stored in plain text in source control or container images, they can be inadvertently exposed through code leaks, build artifacts, log output, or shared backups. By injecting secrets at runtime from a secure store, you enforce the principle of least privilege—each service only gets what it needs, for the time it needs it—making deployments safer and easier to manage across dev, staging, and production. This approach also makes it simple to revoke or rotate credentials without touching the codebase.

Storing credentials directly in the source code may seem convenient, but it creates a lasting risk that can spread across repositories and deployments. Plain text secrets are unrecoverable once exposed, whereas using a vault or secret store adds strong protection and traceability. Secrets matter in production just as much as in development, since production environments are common targets for exposure, misconfiguration, and unauthorized access.