Where to store configurable secrets? In group-readable etc/app.conf ?

From: Pat Maddox <pat_at_patmaddox.com>
Date: Wed, 18 May 2022 08:26:56 UTC
I am working on an app that reads database credentials from DATABASE_URL 
env var. I've got an rc script that starts it up fine. I want to 
double-check how I should be configuring it: I have put it in 
/usr/local/etc/myapp.conf chmod 770.

Is that right, or is there some other mechanism for setting secret env 
vars for rc scripts?