Let's assume that your Q2A installation directory (the location where you unpacked the application archive) is /var/www/q2a. This directory is published by the webserver hosting the application. By default the config file would then be located at /var/www/q2a/qa-config.php, which is inside the published directory.
The recommendation is to move the file to some directory that is not published by the webserver, for instance the webserver config directory (/etc/nginx if you're using Nginx) or your userhome if you're using shared webhosting, and create a new file /var/www/q2a/qa-config.php that just includes the original file from its new location:
Beware that /etc/nginx/qa-config.php still needs to be readable by the webserver user or group (usually www-data).