Forem: KANISHQ R PUROHIT The latest articles on Forem by KANISHQ R PUROHIT (@kanishq9). https://forem.com/kanishq9 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3924986%2F5575878d-57cc-495b-bf69-7b100456a0ff.png Forem: KANISHQ R PUROHIT https://forem.com/kanishq9 en I Built My Own Config Format for Node.js That Separates Server and Client Secrets KANISHQ R PUROHIT Mon, 11 May 2026 18:38:57 +0000 https://forem.com/kanishq9/i-built-my-own-config-format-for-nodejs-that-separates-server-and-client-secrets-49hl https://forem.com/kanishq9/i-built-my-own-config-format-for-nodejs-that-separates-server-and-client-secrets-49hl <p><em>The problem with dotenv that nobody talks about, and how I fixed it with kq-config.</em></p> <h2> The Problem </h2> <p>Every Node.js project I've worked on has the same setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">DB_PASS</span><span class="p">=</span><span class="s">supersecret</span> <span class="py">SECRET_KEY</span><span class="p">=</span><span class="s">myjwtsecret</span> <span class="py">API_URL</span><span class="p">=</span><span class="s">http://localhost:3000</span> <span class="py">THEME</span><span class="p">=</span><span class="s">dark</span> <span class="py">PORT</span><span class="p">=</span><span class="s">3000</span> </code></pre> </div> <p>One <code>.env</code> file. Everything in one place. Server secrets, client settings, database passwords, all mixed together.</p> <p>This works fine until we think: <strong>who can see what?</strong></p> <p>Your frontend code runs <code>process.env.API_URL</code>, works fine. But what stops it from also reading <code>process.env.DB_PASS</code>? In most setups, <em>nothing</em>. The same object holds everything.</p> <p>I kept thinking: why do we give everyone access to everything?</p> <h2> The Idea </h2> <p>What if your config file had separate blocks: one for the server, one for the client, and each side could only read its own?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>config.kq ├── ::shared → merged into both ├── ::server → server only └── ::client → client only </code></pre> </div> <p>Server reads <code>::server</code>. Client reads <code>::client</code>. Neither can see the other's block.</p> <p>I built this as an npm package called <strong>kq-config</strong>. The <code>.kq</code> extension stands for <strong>Konfig Query</strong>, and comes from the first and last letters of my name, <strong>Kanishq</strong>.</p> <h2> What it looks like </h2> <p>Create a single <code>config.kq</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@version = 1.0 ::shared app_name = MyApp version = 1.0 ::end ::server host = localhost port = 3000 db_host = localhost db_name = mydb db_user = $ENV:DB_USER db_pass = $ENV:DB_PASS secret_key = $ENV:SECRET_KEY debug = true log_level = info ::end ::client api_url = http://localhost:3000 theme = dark timeout = 5000 retry = 3 ::end </code></pre> </div> <p>Then in your code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">KQParser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">kq-config</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Server reads ::shared + ::server only</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span> <span class="p">).</span><span class="nf">load</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">server</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">port</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// 3000</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">server</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">db_pass</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// "supersecret" (from .env)</span> <span class="c1">// Client reads ::shared + ::client only</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">client</span><span class="dl">"</span> <span class="p">).</span><span class="nf">load</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_url</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// "http://localhost:3000"</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">db_pass</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// undefined, client can NEVER see this</span> </code></pre> </div> <p>The database password is invisible to the client. Not hidden by convention but blocked by design.</p> <p>Note: add .env in the same path for DB_USER,DB_PASS,SECRET_KEY</p> <h2> Built-in .env support, no dotenv needed </h2> <p>kq-config automatically finds and loads <code>.env</code> from the same folder as your <code>config.kq</code> file. You don't need to install or configure dotenv:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>your-project/ ├── config.kq └── .env ← loaded automatically </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// No require("dotenv").config() needed</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">).</span><span class="nf">load</span><span class="p">();</span> <span class="c1">// $ENV: variables resolved from .env automatically</span> </code></pre> </div> <h2> Environment overrides </h2> <p>Create <code>config.prod.kq</code> with <strong>only what changes</strong> in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>::server host = 0.0.0.0 port = 8080 db_host = prod-db.example.com debug = false log_level = warn ::end ::client api_url = https://api.example.com ::end </code></pre> </div> <p>Load it based on <code>APP_ENV</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_ENV</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">development</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">overrides</span> <span class="o">=</span> <span class="p">{</span> <span class="na">production</span><span class="p">:</span> <span class="dl">"</span><span class="s2">config.prod.kq</span><span class="dl">"</span><span class="p">,</span> <span class="na">staging</span><span class="p">:</span> <span class="dl">"</span><span class="s2">config.staging.kq</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">overrideFile</span> <span class="o">=</span> <span class="nx">overrides</span><span class="p">[</span><span class="nx">env</span><span class="p">]</span> <span class="p">?</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="nx">overrides</span><span class="p">[</span><span class="nx">env</span><span class="p">])</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">,</span> <span class="nx">overrideFile</span><span class="p">).</span><span class="nf">load</span><span class="p">();</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node server.js <span class="c"># development → port 3000</span> <span class="nb">set </span><span class="nv">APP_ENV</span><span class="o">=</span>production&amp;node server.js <span class="c"># cmd:production → port 8080</span> <span class="nv">$env</span>:APP_ENV<span class="o">=</span><span class="s2">"production"</span><span class="p">;</span> node server.js <span class="c"># powershell:production → port 8080</span> </code></pre> </div> <h2> Schema validation </h2> <p>Validate your config at startup. Fail immediately with clear errors instead of mysterious crashes later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">load</span><span class="p">()</span> <span class="p">.</span><span class="nf">validate</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">port</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">secret_key</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">debug</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">boolean</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">log_level</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">"</span><span class="s2">info</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>If anything is wrong, you get all errors at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>KQValidationError: Config validation failed for role 'server': ✗ Required key 'secret_key' is missing in [server] config. ✗ 'port' — expected number, got string (value: "3000") </code></pre> </div> <h2> Runtime overrides </h2> <p>Override any value without touching any file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$env</span>:KQ_SERVER_PORT<span class="o">=</span>9999<span class="p">;</span> node server.js <span class="nv">$env</span>:KQ_CLIENT_THEME<span class="o">=</span><span class="s2">"light"</span><span class="p">;</span> node server.js </code></pre> </div> <p>Pattern: <code>KQ_&lt;ROLE&gt;_&lt;KEY&gt;=value</code>. Values are automatically type-cast.</p> <h2> AES-256-GCM encryption — built in </h2> <p>This is where it gets interesting. You can store <strong>encrypted secrets directly in your config file</strong>:</p> <p><strong>Step 1 : Generate a master key:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node <span class="nt">-e</span> <span class="s2">"console.log(require('crypto').randomBytes(32).toString('hex'))"</span> <span class="c"># 3a7bd3e2360a3d29eea436fcfb7e44c735d117c7888a8660b1e5c8c51b9ff59f</span> </code></pre> </div> <p><strong>Step 2 : Encrypt your secrets:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">KQParser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">kq-config</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KQ_MASTER_KEY</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">3a7bd3e2...</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">enc</span> <span class="o">=</span> <span class="nx">KQParser</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="dl">"</span><span class="s2">mysupersecretpassword</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// → ENC:aGVsbG8gd29ybGQ=:abc123:xyz456</span> </code></pre> </div> <p><strong>Step 3 : Put it in <code>config.kq</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>::server db_pass = ENC:aGVsbG8gd29ybGQ=:abc123:xyz456 ::end </code></pre> </div> <p><strong>Step 4 : Load as normal — decryption is automatic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">).</span><span class="nf">load</span><span class="p">();</span> <span class="nx">server</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">db_pass</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// "mysupersecretpassword" </span> </code></pre> </div> <p>Even if someone gets your <code>config.kq</code> — they cannot read the secrets without <code>KQ_MASTER_KEY</code>.</p> <h2> Secret masking </h2> <p>Prevent secrets from leaking into logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">server</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="c1">// { port: 3000, db_pass: "supersecret" }</span> <span class="nx">server</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="c1">// { port: 3000, db_pass: "***MASKED***" } </span> <span class="c1">// Or always mask</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">mask</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> </code></pre> </div> <h2> Auto type casting </h2> <p>Everything from a config file is a string — but kq-config automatically casts types:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Value in file</th> <th>Parsed as</th> </tr> </thead> <tbody> <tr> <td><code>3000</code></td> <td> <code>3000</code> (number)</td> </tr> <tr> <td> <code>true</code> / <code>false</code> </td> <td> <code>true</code> / <code>false</code> (boolean)</td> </tr> <tr> <td><code>null</code></td> <td><code>null</code></td> </tr> <tr> <td><code>"hello world"</code></td> <td> <code>"hello world"</code> (quotes stripped)</td> </tr> </tbody> </table></div> <p>So <code>server.get("port")</code> gives you a real number, not <code>"3000"</code>.</p> <h2> Security protections built in </h2> <p>kq-config has professional-grade security with zero extra configuration:</p> <ul> <li> <strong>Path traversal</strong> — <code>../../etc/passwd</code> attacks blocked</li> <li> <strong>Prototype pollution</strong> — <code>__proto__</code>, <code>constructor</code> keys blocked</li> <li> <strong>ReDoS</strong> — values over 10,000 chars rejected</li> <li> <strong>Memory exhaustion</strong> — files over 1MB rejected</li> <li> <strong>Null byte injection</strong> — null bytes in values blocked</li> <li> <strong>Env hijacking</strong> — <code>.env</code> cannot overwrite <code>NODE_OPTIONS</code>, <code>PATH</code> etc.</li> <li> <strong>Zero dependencies</strong> — no supply chain attack surface</li> </ul> <h2> - <strong>npm provenance</strong> — every release cryptographically signed </h2> <h2> TypeScript support </h2> <p>Full type definitions included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">KQParser</span><span class="p">,</span> <span class="nx">KQSchema</span><span class="p">,</span> <span class="nx">KQOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kq-config</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">schema</span><span class="p">:</span> <span class="nx">KQSchema</span> <span class="o">=</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">debug</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">boolean</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KQParser</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.kq</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">server</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">load</span><span class="p">()</span> <span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="nx">schema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="nx">server</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">port</span><span class="dl">"</span><span class="p">)</span> <span class="k">as</span> <span class="kr">number</span><span class="p">;</span> </code></pre> </div> <h2> ESM and CJS </h2> <p>Works with both <code>import</code> and <code>require</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// CommonJS</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">KQParser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">kq-config</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// ES Module</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">KQParser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kq-config</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <h2> The full feature list </h2> <ul> <li>Block separation — <code>::server</code> / <code>::client</code> / <code>::shared</code> </li> <li>Built-in <code>.env</code> loading — no dotenv needed</li> <li> <code>$ENV:VAR</code> injection — secrets never hardcoded</li> <li> <code>ENC:</code> encryption — AES-256-GCM built in</li> <li>Secret masking — <code>***MASKED***</code> in logs</li> <li>Raw secret detection — warns on plain secrets</li> <li>Layered overrides — dev → staging → prod</li> <li>Runtime overrides — <code>KQ_SERVER_PORT=9999</code> </li> <li>Schema validation — required, type, default</li> <li>Auto type casting — numbers, booleans, null</li> <li>TypeScript types — full definitions</li> <li>ESM + CJS — both supported</li> </ul> <h2> - Zero dependencies — nothing to audit </h2> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>kq-config </code></pre> </div> <p>GitHub: <a href="https://github.com/kanishq-9/kq-config" rel="noopener noreferrer">github.com/kanishq-9/kq-config</a></p> <p>npm: <a href="https://www.npmjs.com/package/kq-config" rel="noopener noreferrer">npmjs.com/package/kq-config</a></p> <h2> Why I built this </h2> <p>I was tired of the same pattern in every project, one flat list of environment variables, no structure, no separation, no way to know which values are safe to expose to the frontend and which ones would be catastrophic if leaked.</p> <p>The <code>.kq</code> format is my answer to that. One file, clear blocks, each side reads only what it needs. The encryption came from realizing that even <code>.env</code> files can be accidentally committed, so why not make the secrets safe to commit?</p> <p>If you try it out, let me know what you think. Issues and PRs are welcome on GitHub.</p> node npm security opensource