Secrets and configuration live next to each other, so teams start treating them as the same kind of thing. They are not.
Configuration changes behavior. A secret changes authority. Rotate a feature flag badly and a page looks wrong. Rotate a signing key badly and every token, webhook, or integration downstream may become suspect.
That difference should show up in process.
The separation
Config needs review. Secrets need custody.
Config needs history. Secrets need access logs.
Config needs rollback. Secrets need rotation and revocation.
Config can often be visible to the whole engineering team. Secrets should not be visible just because someone can deploy.
The dangerous pattern is a single environment page with plain values, hidden values, feature flags, API keys, and one big save button. It feels convenient because all runtime knobs are together. It is also how an operator learns that convenience was the security model.
Keep secrets boring, narrow, and auditable. They are not settings. They are delegated power.