diff --git a/README.md b/README.md
index 419cfcb..c8e668f 100644
--- a/README.md
+++ b/README.md
@@ -9,3 +9,8 @@ Use `flask --app flaskr run` to run app. To update package, you will need to ins
 
 ## Initializing database
 The first time you install the app in each environment, you need to initialize database using `flask --app flaskr init-db`. This only needs to be run once per environment, and **will delete existing database if run again**.
+
+## Secret key
+Every website with login needs a secret key to hash passwords with.
+`<python_environment>/var/flaskr-instance/config.py` must contain a line `SECRET_KEY = '<secret_key>`, which must be randomly generated.  
+Suggested way of generating the key is `python -c 'import secrets; print(secrets.token_hex())'`, which returns a hexadecimal string with length 64. You may choose to randomly generate a key using a different method, but ensure that it is resistant to brute-force attacks.