Should I use environment variables or module.exports for username and password for a small personal app on Heroku?

Question

Should I use environment variables or module.exports for username and password for an app on Heroku?

I am using a simple xlsx and nodemailer combination, the idea is to read the spreadsheet and do a few things, including mailing some people off the spreadsheet. I am using a really basic transporter/mailer but have been reading alot about security of the username and password, I have read up about environmental variables but I am still somewhat unclear on it all as it gets super technical very quickly.

The app is very small and would run a few times a day at max and is only for internal use so to speak, there will be no public facing side except in the future I will perhaps add the dashboard for myself to work from.

If I deploy to Heroku should I make use of the environment variables in the dashboard for my sensitive info or module.exports? Is it safe?

This is a snippet from the mailer showing currently I use the module.exports and have added that folder to .gitignore. Is that enough or is environment variables better?

var transporter = nodemailer.createTransport({
    host: 'xxxxxxxxxxxxxxxxx',
    // port: 587,
    secure: false, // upgrade later with STARTTLS
    auth: {
        user: 'xxxxxxxxxxxxxxxxxxxxxx',
        pass: config.passW
    }

I would like to follow best practices and also ensure that the details saved on the spreadsheet are safe.

Answer 1

Heroku recommends using Environment variables to store sensitive information. Though there are various Heroku add-ons which can also do the job for you , however the native way is through environment variables only.