#Public Key and .env file

I have learned that private keys should be hidden in the backend b/c there isn't a way to hide them in the frontend. But what about public keys?
Do they need to be hidden in the backend?
Do they NEED to be in a .env file or is it just 'best practice' to do so?
Should a .env file ALWAYS be included in gitingore?

For reference, I'm building a website (deployed on Netlify) with a form that uses EmailJS and reCAPTCHA v2. Both have a private key that is held on the EmailJS server (🤷‍♀️) and a public key, which I currently have hard-coded (not sure if this is proper practice).

I would love to hear what others know and do. Thanks!

Assuming that the "public keys" are what I think they are, it should be fine to expose them wherever they're needed. I've not worked with either of the services you mentioned, so I can't speak specifically to those. However, I have implemented a PayPal payment system, and that system provides two "keys". One is a private/secret key that is only accessible in server code. The server uses this secret key when it is instructed by the client to initiate a transaction. The other identifier is a client ID, which is viewable in client script. I'm not absolutely sure that it's 100% safe having the client ID viewable, but that's how PayPal has implemented things, so I would assume there is little/no security concern.

As to your other questions:

• No, you don't need to keep your private (or even public) keys in a .env file, but it can be a convenient location to place them. If you develop the habit of putting your keys into your .env file, you'll never wonder where to look for them!

• I don't really like to speak in absolutes, and every developer should follow whatever practices they wish to, but it really really makes good sense to always exclude your .env file from your git repository.