diff --git a/docker-compose.encryptid.yml b/docker-compose.encryptid.yml
index 2bc51e0..ce53175 100644
--- a/docker-compose.encryptid.yml
+++ b/docker-compose.encryptid.yml
@@ -14,8 +14,8 @@ services:
     environment:
       - NODE_ENV=production
       - PORT=3000
-      - JWT_SECRET=${JWT_SECRET:-change-this-in-production}
-      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD:-encryptid}@encryptid-db:5432/encryptid
+      - JWT_SECRET=${JWT_SECRET}
+      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD}@encryptid-db:5432/encryptid
       - SMTP_HOST=${SMTP_HOST:-mx.jeffemmett.com}
       - SMTP_PORT=${SMTP_PORT:-587}
       - SMTP_USER=${SMTP_USER:-noreply@jeffemmett.com}
@@ -48,7 +48,7 @@ services:
     environment:
       - POSTGRES_DB=encryptid
       - POSTGRES_USER=encryptid
-      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD:-encryptid}
+      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD}
     volumes:
       - encryptid-pgdata:/var/lib/postgresql/data
     networks:
diff --git a/src/encryptid/db.ts b/src/encryptid/db.ts
index b2c5472..36c4555 100644
--- a/src/encryptid/db.ts
+++ b/src/encryptid/db.ts
@@ -13,7 +13,10 @@ import { join } from 'path';
 // CONNECTION
 // ============================================================================
 
-const DATABASE_URL = process.env.DATABASE_URL || 'postgres://encryptid:encryptid@localhost:5432/encryptid';
+const DATABASE_URL = process.env.DATABASE_URL;
+if (!DATABASE_URL) {
+  throw new Error('DATABASE_URL environment variable is required');
+}
 
 const sql = postgres(DATABASE_URL, {
   max: 10,
diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index 605f89a..42ed6e3 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -45,7 +45,11 @@ const CONFIG = {
   port: process.env.PORT || 3000,
   rpId: 'jeffemmett.com',
   rpName: 'EncryptID',
-  jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production',
+  jwtSecret: (() => {
+    const secret = process.env.JWT_SECRET;
+    if (!secret) throw new Error('JWT_SECRET environment variable is required');
+    return secret;
+  })(),
   sessionDuration: 15 * 60,  // 15 minutes
   refreshDuration: 7 * 24 * 60 * 60,  // 7 days
   smtp: {