I am building a backend application with some basic user authentication mechanisms, so I did what most would: creating a .env file, putting APP_SECRET inside, and having the application load from it.
Now, since I also have a database dedicated to this application, it should be feasible to store that APP_SECRET inside the database (It could be a table with just one column and one row storing the value) and have the application load from it on start.
Although I’ll still have to supply DB connection credentials via the .env file, so it won’t go anywhere, at least I have one less thing to put inside now.
The question is: Is this a legitimate move? Does this paradigm have any security concerns? Is there a better alternative if I don’t like to generate APP_SECRET and put them in .env?