In various tutorials I'm finding them all saying that "JWTs should be signed by an environment variable and not hard-coded into an application". From a security standpoint, if a hacker were to gain access to my Node.js application's source code, I'm assuming they could also see the environment variables on the server's system? How is it inherently more secure to call an environment variable from within Node vs. hard-coding the app's source code?In various tutorials I'm finding them all sayin