Thank you! It honestly comes down to one simple fact: You can't betray what you don't know.

So the alternative becomes, where do I store something that's visible to the scripting engine, but not the web server? PHP is in a good position in this regard since, if we use something like FastCGI with Nginx, for example, that completely decouples the web server from the scripting engine. The server literally cannot serve the file, since it's not in scope.

This came about a little while back when a good friend of mine did have a misconfigured server (because his host was incompetent) and it really came down to "how much can I withstand revealing"? Let's face it, any file -- really anything in the webroot of the site -- is readable by the web server. If it's readable, it can potentially be served. No matter how unlikely, we have to account for the possibility.