diff --git a/Dockerfile b/Dockerfile
index 00f6ba8..a81f47b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,8 @@ RUN apt-get update && \
 
 RUN pip3 install --upgrade pip
 RUN pip3 install -U -r requirements.txt
+RUN cat /dev/urandom | head -c 50 | md5sum | head -c 32 > /code/.sk
+RUN chmod 600 .sk
 EXPOSE 80
 # NOTE, wrapper.sh will use sudo to work in PROD and DEV AS the correct
 # BOOK_UID/BOOK_GID as pybook user and group
diff --git a/main.py b/main.py
index d363bdb..a891cb8 100644
--- a/main.py
+++ b/main.py
@@ -32,7 +32,13 @@ else:
 
 app.config['SQLALCHEMY_DATABASE_URI'] = DB_URL
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
-app.config.from_mapping( SECRET_KEY=b'\xd6\x04\xbdj\xfe\xed$c\x1e@\xad\x0f\x13,@G')
+
+# if in prod, Dockerfile will generate a random string and place it in /code/.sk
+try:
+    with open('/code/.sk') as f:
+        app.config['SECRET_KEY'] = f.read()
+except Exception:
+    app.config['SECRET_KEY'] = b'my_insecure_pybook_token_with_random_a897s987f98as7df9as87df9safd' 
 
 # ldap config vars: (the last one is required, or python ldap freaks out)
 app.config['LDAP_HOST'] = 'mara.ddp.net'