diff --git a/plchweb/settings.py b/plchweb/settings.py
index 63084e9..5b6e76d 100644
--- a/plchweb/settings.py
+++ b/plchweb/settings.py
@@ -20,12 +20,12 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'f^%0urhe2)0q^*x^=pv$2cs%m3(xjtqw_x+uzm!io=as316=+x'
+SECRET_KEY = os.urandom(512).hex()
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = False
 
-ALLOWED_HOSTS = ["127.0.0.1"]
+ALLOWED_HOSTS = ["plch.xyz", "www.plch.xyz"]
 
 
 # Application definition
@@ -122,3 +122,17 @@ STATIC_URL = '/static/'
 MEDIA_URL = "/media/"
 STATIC_ROOT = os.path.join(BASE_DIR, "static/")
 MEDIA_ROOT = os.path.join(BASE_DIR, "media/")
+
+SECURE_HSTS_SECONDS = 3600
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_SSL_REDIRECT = True
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
+X_FRAME_OPTIONS = "DENY"
+CONN_MAX_AGE = 43200
+
+FILE_UPLOAD_PERMISSIONS = 0o640