diff --git a/internal/web/handlers.go b/internal/web/handlers.go
index 2130023..4bec902 100644
--- a/internal/web/handlers.go
+++ b/internal/web/handlers.go
@@ -8,9 +8,14 @@ import (
 	"github.com/gorilla/csrf"
 )
 
+type Config struct {
+	CSRFSecret string `env:"CSRF_TOKEN"`
+}
+
 type Handlers struct {
 	*app.App
 	session *scs.Session
+	Config  *Config
 }
 
 func NewHandlers(app *app.App) *Handlers {
@@ -34,8 +39,12 @@ func (h *Handlers) commonRenderContext(r *http.Request) map[string]interface{} {
 }
 
 func (h *Handlers) CSRF() func(http.Handler) http.Handler {
+	if h.Config.CSRFSecret == "" {
+		// TODO FIXME: generate random
+		h.Config.CSRFSecret = "12345678901234567890123456789012"
+	}
 	return csrf.Protect(
-		[]byte("12345678901234567890123456789012"),
+		[]byte(h.Config.CSRFSecret),
 		csrf.FieldName("authenticity_token"),
 		csrf.Secure(h.session.Cookie.Secure),
 	)