diff --git a/hashflix/settings.py b/hashflix/settings.py
index 16120f7..6900798 100644
--- a/hashflix/settings.py
+++ b/hashflix/settings.py
@@ -22,12 +22,18 @@
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-%^9!uvtl3#@2kx0p_t-j2_*lwv-l%pj%vcbrew_cy30xv3&rzi'
+TOKEN_CSRF = os.getenv("TOKEN_CSRF")
+if TOKEN_CSRF:
+    SECRET_KEY = TOKEN_CSRF
+    CSRF_TRUSTED_ORIGINS = ['https://sitecomdjango-production.up.railway.app/']
+else:
+    SECRET_KEY = 'django-insecure-%^9!uvtl3#@2kx0p_t-j2_*lwv-l%pj%vcbrew_cy30xv3&rzi'
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = [
+    "https://sitecomdjango-production.up.railway.app/", "localhost", "127.0.0.1"]
 
 
 # Application definition