I thought it was said that saving keys as environment variables was a bad idea? I normally use a.env file and load values from it with dotenv, and I make sure to include it in my gitignore file.
However, after reading that it is bad practise to maintain keys and sensitive information as environment variables (temporary or otherwise), I'm curious as to what constitutes good security practise.