A missing environment variable is one of the most common causes of a broken deploy. The app works perfectly in staging, then crashes in production because STRIPE_SECRET_KEY was never set, or DATABASE_URL still points to the staging database. Comparing .envfiles manually is risky — they're full of secrets you don't want to paste into the wrong place. Here's how to do it safely.
Why .env Files Drift Between Environments
Environment files accumulate variables over time. A developer adds a new feature flag locally and forgets to update the staging .env. Someone rotates an API key in production but not in the .env.example template. A third-party service gets a new required variable in their latest SDK version. Before you know it, your environments are out of sync and the only way to find out is a runtime error.
- Missing keys — a variable exists in dev but was never added to production. The app throws an undefined variable error only after deploy.
- Stale values — a key exists in both environments but points to different endpoints or uses an outdated format. The app runs but behaves incorrectly.
- Extra variables — production has variables that no longer exist in the codebase, creating confusion during debugging and onboarding.
- Ordering and grouping — teams often organise variables by section (database, auth, third-party services). Drift in ordering makes review harder over time.
The Safe Way to Diff .env Files
The challenge with .envfiles is that they contain real secrets — API keys, database passwords, OAuth tokens. You can't paste them into a tool that uploads content to a server. The comparison needs to happen locally, in your browser.
- Open your
.envfile for the first environment (e.g., staging). Copy the contents. - Paste it into the Original pane on Online Diff.
- Open your second
.envfile (e.g., production). Copy the contents. - Paste it into the Modified pane and hit Compare.
The diff highlights every missing variable, every changed value, and every line that exists in one file but not the other. Nothing leaves your browser — the comparison runs entirely in JavaScript on your machine.
Comparing .env.example Against Your Real .env
Most projects maintain a .env.example file that documents required variables without real values. Diffing your actual .env against .env.exampleis the fastest way to find variables your app needs that you haven't set yet:
# .env.example (committed to git)
DATABASE_URL=
REDIS_URL=
STRIPE_SECRET_KEY=
STRIPE_WEBHOOK_SECRET=
JWT_SECRET=
SENDGRID_API_KEY=
# Your .env (local or server)
DATABASE_URL=postgres://user:pass@localhost/mydb
REDIS_URL=redis://localhost:6379
STRIPE_SECRET_KEY=sk_live_...
JWT_SECRET=supersecretPaste both into the diff tool. The missing STRIPE_WEBHOOK_SECRET and SENDGRID_API_KEY show up immediately as removed lines — variables that exist in the template but are absent from your actual config.
Tips for Better .env Diffs
Redact values before sharing
If you need to share the diff with a teammate — to show them which variables are missing in their environment — use the Share button after comparing. Online Diff scans for patterns that look like secrets and offers to redact them before generating the share link. This means your teammate sees the variable names and structure without seeing the actual secret values.
Sort both files before comparing
If your .env files have the same variables in different orders, every line will appear changed. Sort both files alphabetically before diffing to make structural differences obvious:
sort .env.staging > staging_sorted.env
sort .env.production > production_sorted.envPaste the sorted versions into the diff. Now only genuine differences — missing keys or changed values — show up as changes.
Diff keys only (strip values)
If you only want to check which variable names differ between environments — not their values — strip the values before pasting:
# Print only the variable names from a .env file
grep -v '^#' .env | grep '=' | cut -d'=' -f1 | sortPaste the key-only output from both files into the diff. You get a clean list of structural differences without any secret values in your clipboard.
Check Docker Compose env_file references too
If your services use env_file: in Docker Compose, the .env file for each service may differ from your root .env. Diff all relevant env files against each other, not just the root one. See the Docker Compose diff guide for the full workflow.
Privacy: Your Secrets Stay in Your Browser
.envfiles contain your most sensitive credentials — production database passwords, payment processor keys, OAuth secrets. Pasting these into a server-side diff tool means those credentials are now stored in someone else's logs. Online Diff runs the entire comparison in JavaScript in your browser tab. Nothing is transmitted, nothing is logged, and nothing is stored. Close the tab and the data is gone.
Compare Your .env Files Now
Paste two environment files and see every missing variable and changed value — privately, in your browser. No upload, no account, nothing sent to a server.
Open Online Diff →Related Guides
- Why Your Diff Tool Shouldn't See Your Code — how client-side diffing, PII detection, and encrypted sharing keep sensitive diffs private
- How to Diff Docker Compose Files Before Deploying — catch env var drift in Compose configs before deploying
- How to Diff Terraform tfvars Files — compare variable files between environments to catch config drift