I'm setting up a development and production environment for a web application. It uses some remote APIs for which you need a key to access them. You don't want those in your code, as well as the database credentials.
I have done some research and learned that one could store them in a file that does not get committed to the repository. Is this safe to do on a production server (Ubuntu 16.04)? Granted that the server has been hardened correctly? Or should additional steps be taken? Or is it the wrong way to do it all together?