diff --git a/.env.example b/.env.example
index b17e855..b14bca4 100644
--- a/.env.example
+++ b/.env.example
@@ -1,2 +1,5 @@
+SECRET_KEY=django-insecure-change-me
+DEBUG=True
+ALLOWED_HOSTS=localhost,127.0.0.1
 GALLERY_ROOT=/absolute/path/to/images
 THUMBNAILS_ROOT=/absolute/path/to/thumb-cache
diff --git a/NibasaViewer/settings.py b/NibasaViewer/settings.py
index d15b0f2..ad7948c 100644
--- a/NibasaViewer/settings.py
+++ b/NibasaViewer/settings.py
@@ -33,16 +33,56 @@ def _path_from_env(var_name):
     return Path(value)
 
 
+def _string_from_env(var_name, default):
+    value = os.getenv(var_name)
+    if value is None:
+        return default
+
+    value = value.strip()
+    if not value:
+        return default
+
+    return value
+
+
+def _bool_from_env(var_name, default):
+    value = os.getenv(var_name)
+    if value is None:
+        return default
+
+    value = value.strip().lower()
+    if value in {"1", "true", "t", "yes", "y", "on"}:
+        return True
+    if value in {"0", "false", "f", "no", "n", "off"}:
+        return False
+
+    return default
+
+
+def _list_from_env(var_name, default):
+    value = os.getenv(var_name)
+    if value is None:
+        return default
+
+    items = [item.strip() for item in value.split(",") if item.strip()]
+    if not items:
+        return default
+
+    return items
+
+
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-#_89g9-8to*_ogxz_e0jpnqlreo0hy10odxc_)99$cs66=#7(*"
+SECRET_KEY = _string_from_env(
+    "SECRET_KEY", "django-insecure-#_89g9-8to*_ogxz_e0jpnqlreo0hy10odxc_)99$cs66=#7(*"
+)
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = _bool_from_env("DEBUG", True)
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = _list_from_env("ALLOWED_HOSTS", [])
 
 
 # Application definition