440/400
https://www.drupal.org/node/137702
You must understand the meaning of XYZ chmod from file attribute.
X = Owner
Y = Group
Z = Everyone/World
If you set to XY4 then you give Everyone a "read" access! (even the
content inside a php file can not read by a browser, but still readable
by using ssh, ftp or file browser).
Since settings.php must be only read by your system then you must set to
440 or better 400 (if possible). Gives 440 to a file will protect
everyone (except owner and group) to read this file using any access
types.
Important:
If your website can not run with 440 then you have a seriously security hole!