**Never hard-code secrets, not even the default values**

It is important that you do not hard-code secrets, even default values.

First, hard-coded default secrets are often short and can be easily compromised
even by attackers who do not have access to the code base.

Second, hard-coded default secrets can cause problems if they need to be
changed or replaced.

And most importantly, there is always the possibility to accidentally set
default secrets for production services, which can lead to security
vulnerabilities and make production insecure by default.

To minimize these risks, it is recommended to apply the above strategies, even
for the default settings.