diff --git a/README.md b/README.md
index 556d7da..2bf0028 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@
 
 # Production
 - add domain to *Caddyfile*
+- generate new database password and put it into appropriate places in *docker/docker-compose.yml*
+- generate new `SECRET_KEY` with `openssl rand -base64 32` and put it into *docker/docker-compose.yml* geodata: and frontend: environment variables
 
 # Run
 - `docker-compose --file docker/docker-compose.yml up --build -d`
diff --git a/backend/src/main.py b/backend/src/main.py
index 0e993ce..56a05ed 100644
--- a/backend/src/main.py
+++ b/backend/src/main.py
@@ -1,3 +1,5 @@
+import os
+
 from base64 import b64decode
 from datetime import datetime, timedelta
 from re import IGNORECASE, sub as substitute
@@ -16,7 +18,7 @@ from .database import SessionLocal, engine
 # Security
 
 # take it from env
-SECRET_KEY = b64decode("iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8=")
+SECRET_KEY = b64decode(os.environ["SECRET_KEY"])
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 3600
 
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index c154ea6..c352c97 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -23,7 +23,7 @@
 
 	handle_path /pgweb/* {
 		jwtauth {
-			sign_key iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8=
+			sign_key {$SECRET_KEY}
 			from_cookies user_session
 		}
 
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index c2ad0b7..349b2b7 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -8,6 +8,8 @@ services:
       dockerfile: ../../docker/Dockerfile.backend
     volumes:
       - tmp_vol:/tmp
+    environment:
+      - SECRET_KEY="iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8="
 
   postgres:
     image: "postgis/postgis:13-3.2"
@@ -37,6 +39,8 @@ services:
       - caddy_config:/config
       - ../caddy:/etc/caddy
       - ../previews:/srv
+    environment:
+      - SECRET_KEY="iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8="
 
   pgweb:
     restart: always