Though legacy, millions of projects still run on CRA. CRA explicitly supports .env.production.local . It loads files in this order: .env.production.local , .env.local , .env.production , .env . Variables must be prefixed with REACT_APP_ . .env.production vs. .env.local.production

You populate this server file with actual database passwords, private API tokens, and encryption keys. Because it ends in .local , it stays safely on that specific server. Server-Side vs. Client-Side Exposure