E. g. Wordpress suggests as default permission '644' for its 'wp-config.php'.
I assume (but not know) that this setting grant all users ->known on the server<- at least read permissions.
I further assume that the term 'others' do not include an arbitrary user who access my side via http(?).
Background: I have a php script with access to an api service and which contains sensitive api login credentials. I'm now puzzled if anybody with internet access could read this data inside my script if I use 644 for it??