diff --git a/.gitignore b/.gitignore
index d24328c..266f685 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .idea/
 db.sqlite3
-staticfiles/
\ No newline at end of file
+staticfiles/
+/secret_key.txt
diff --git a/keeppolling/development.py b/keeppolling/development.py
new file mode 100644
index 0000000..44673a2
--- /dev/null
+++ b/keeppolling/development.py
@@ -0,0 +1,2 @@
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'django-insecure-0f-zq@@@09f))7t)2ifd^7@qx1@5d-&h#sb*d)ptqoi+r2v-x5'
diff --git a/keeppolling/production.py b/keeppolling/production.py
new file mode 100644
index 0000000..cc1d362
--- /dev/null
+++ b/keeppolling/production.py
@@ -0,0 +1,25 @@
+# SECURITY WARNING: keep the secret key used in production secret!
+try:
+    with open('secret_key.txt') as f:
+        SECRET_KEY = f.read().strip()
+    # SECRET_KEY = os.environ["SECRET_KEY"]
+except FileNotFoundError:
+    raise RuntimeError("No 'secret_key.txt' found! Fix the configuration...")
+
+
+# https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/#allowed-hosts
+ALLOWED_HOSTS = [
+    f"keeppolling.guyware.nz",
+]
+
+CSRF_TRUSTED_ORIGINS = [
+    f"https://keeppolling.guyware.nz",
+]
+
+# Enable HTTPS only and turn on these settings
+SECURE_SSL_REDIRECT = True
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
diff --git a/keeppolling/settings.py b/keeppolling/settings.py
index 5ce0329..32b3f74 100644
--- a/keeppolling/settings.py
+++ b/keeppolling/settings.py
@@ -19,13 +19,14 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/5.0/howto/deployment/checklist/
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-0f-zq@@@09f))7t)2ifd^7@qx1@5d-&h#sb*d)ptqoi+r2v-x5'
-
+# Set DEBUG based on the environment
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = os.environ.get("DJANGO_DEBUG", "False") == "True"
 
-ALLOWED_HOSTS = []
+if DEBUG:
+    from .development import *
+else:
+    from .production import *
 
 
 # Application definition