diff --git a/README.md b/README.md
index 04b350e..558f5e7 100644
--- a/README.md
+++ b/README.md
@@ -34,20 +34,47 @@ pkill -f "flask run" && flask run --host=0.0.0.0 --port=5001
 
 ### Docker Deployment
 ```bash
-# Build and start container
+# First generate and set your secret key
+python -c 'import secrets; print(f"FLASK_SECRET_KEY={secrets.token_hex(32)}")' >> .env
+
+# Then start the container
 docker-compose up --build
 
-# For production (detached mode)
+# Production deployment (detached mode)
 docker-compose up --build -d
 ```
 
+Note: Docker will automatically load the `.env` file from your project root
+
 The application will be available at `http://localhost:5001`
 
 ### Persisting Data
 The database will be preserved between container restarts through the `./instance` volume mount.
 
+## Configuration
+
+### Secret Key Management
+The application uses a hierarchical configuration for the secret key:
+1. Environment variable `FLASK_SECRET_KEY` (highest priority)
+2. Hardcoded value in `app.py` (development fallback only)
+
+**Production Setup:**
+```bash
+# Generate a secure secret key
+python -c 'import secrets; print(secrets.token_hex(32))'
+
+# Update .env file
+echo "FLASK_SECRET_KEY=your_generated_secret_here" >> .env
+```
+
+**Important Security Notes:**
+- Never commit the `.env` file to version control
+- The default secret key should only be used for development
+- In production, use proper secret management (Vault, KMS, etc.)
+
 ## Features
 - User registration with password confirmation
 - Secure password hashing
 - Login/logout functionality
 - SQLite database
+- Environment-based configuration
diff --git a/app.py b/app.py
index 08c5cd9..cd37aaa 100644
--- a/app.py
+++ b/app.py
@@ -5,7 +5,10 @@ from werkzeug.security import generate_password_hash, check_password_hash
 import os
 
 app = Flask(__name__)
-app.config['SECRET_KEY'] = 'your-secret-key-here'
+app.config['SECRET_KEY'] = os.environ.get(
+    'FLASK_SECRET_KEY', 
+    'your-secret-key-here'  # Fallback for development only
+)
 app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + os.path.join(os.path.abspath(os.path.dirname(__file__)), 'instance/users.db')
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 51944bf..a28611e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,7 @@ services:
       - "5001:5001"
     environment:
       - FLASK_ENV=production
-      - FLASK_SECRET_KEY=${FLASK_SECRET_KEY:-your-secret-key-here}
+      - FLASK_SECRET_KEY=${FLASK_SECRET_KEY}  # Required - set in .env file
       - SQLALCHEMY_DATABASE_URI=sqlite:////app/instance/users.db
     volumes:
       - ./instance:/app/instance