Loading
.env local (gitignore). .env.local overrides. Next.js: NEXT_PUBLIC_* exposed to browser; others server-only. Load with process.env.VAR. Vite: import.meta.env.VITE_*.
Validation
Validate at startup (e.g. zod) and fail fast. Never commit secrets; use platform env (Vercel, etc.) or secret manager.