diff --git a/.env.example b/.env.example
index 8f5750c..ebf5507 100644
--- a/.env.example
+++ b/.env.example
@@ -5,6 +5,10 @@
 # - 0.0.0.0 = all interfaces (production, accessible from network)
 HOST_BINDING=127.0.0.1
 
+# Secret session key for cookies
+# Used to digitally sign cookies to prevent tampering
+SECRET_KEY=cange-me-in-prod
+
 # Local mode - enables auto-login with admin access, no rate limits
 # Set to "true" for local development, "false" for production
 LOCAL_MODE=true
diff --git a/README.md b/README.md
index 2531a83..f2b36b1 100644
--- a/README.md
+++ b/README.md
@@ -92,6 +92,7 @@ For production deployment with user authentication, edit your `.env` file:
 LOCAL_MODE=false
 HOST_BINDING=0.0.0.0
 REGISTRATION_DISABLED=false
+SECRET_KEY=super-secret-secret-key-goes-here--preferably-a-random-string
 ```
 
 
diff --git a/main.py b/main.py
index bb283ab..29fd34c 100644
--- a/main.py
+++ b/main.py
@@ -38,7 +38,7 @@
 DISABLE_GUEST = args.disable_guest or os.getenv('DISABLE_GUEST', '').lower() in ('true', '1', 'yes')
 
 app = Flask(__name__, template_folder='web/templates', static_folder='web/static')
-app.secret_key = 'librecrawl-secret-key-change-in-production'  # TODO: Use environment variable in production
+app.secret_key = os.getenv('SECRET_KEY', 'change-me-in-prod')
 
 # Enable compression for all responses
 Compress(app)