diff --git a/app/config/config.py b/app/config/config.py
index 37e7d26..c259ff5 100644
--- a/app/config/config.py
+++ b/app/config/config.py
@@ -3,7 +3,14 @@
 
 load_dotenv()
 
+import os
+
 class Config:
-    SECRET_KEY = os.getenv("SECRET_KEY", "default-secret-key")
-    DEBUG = os.getenv("DEBUG", False)
+    # FIX: Do not use a hardcoded default for SECRET_KEY. Raise an error if not set.
+    SECRET_KEY = os.getenv("SECRET_KEY")
+    if not SECRET_KEY:
+        raise RuntimeError("SECRET_KEY environment variable must be set and not empty!")
+    DEBUG = os.getenv("DEBUG", "False").lower() in ("true", "1", "yes")
     CORS_ORIGINS = os.getenv("CORS_ORIGINS", "*")
+
+# FIX EXPLANATION: The fix removes the insecure hardcoded default for SECRET_KEY and enforces that it must be set in the environment. This prevents accidental use of a known, weak key in any environment, ensuring cryptographic operations remain secure. Additionally, DEBUG is now parsed as a boolean for correctness.