diff --git a/.github/workflows/django-tests.yml b/.github/workflows/django-tests.yml
index 293c02a..0eebed1 100644
--- a/.github/workflows/django-tests.yml
+++ b/.github/workflows/django-tests.yml
@@ -19,6 +19,7 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       AWS_STORAGE_BUCKET_NAME: ${{ secrets.AWS_STORAGE_BUCKET_NAME }}
+      DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
 
     steps:
       - name: Checkout code
diff --git a/backend/bitmatch/settings.py b/backend/bitmatch/settings.py
index 2f5345b..8c29feb 100644
--- a/backend/bitmatch/settings.py
+++ b/backend/bitmatch/settings.py
@@ -25,12 +25,17 @@
 # See https://docs.djangoproject.com/en/5.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-b4wn$=0zp6j)8%uejmc)hp&3$j3myn$(&i_69(c@shw1i285*v'
+SECRET_KEY = os.getenv("DJANGO_SECRET_KEY")
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DJANGO_ENV = os.getenv("DJANGO_ENV", "DEV").upper()  
 
-ALLOWED_HOSTS = ["*"]
+DEBUG = DJANGO_ENV == "DEV"
+
+if DJANGO_ENV == "PROD":
+    ALLOWED_HOSTS = ["bitmatchapp.com", "www.bitmatchapp.com"]
+else:
+    ALLOWED_HOSTS = ["localhost", "127.0.0.1"]
 
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": (
@@ -178,6 +183,7 @@
     "http://localhost:5173", 
     "http://localhost:5174", 
     "https://bitmatchapp.com",
+    "https://www.bitmatchapp.com",
     "https://api.bitmatchapp.com",
 ]