diff --git a/env.example b/env.example
index 2c2f3f588841e9df95d7b641ec629fd8e6116872..dbae37c59a73c9bdecdecf3ece56c14ee9dc9455 100644
--- a/env.example
+++ b/env.example
@@ -1 +1,5 @@
 DATABASE_URL="postgresql://institut:institut@localhost:5432/postgres"
+
+# ALLOWED_HOSTS=dev.imaniti.org
+# SECRET_KEY=asdf
+# CSRF_TRUSTED_ORIGINS=https://dev.imaniti.org
diff --git a/institut/settings/base.py b/institut/settings/base.py
index fb98f3b7f6525577b96551fb6f93c78391d2bae8..9141d277fe738f828a8fe039dd11ee25508a6dff 100644
--- a/institut/settings/base.py
+++ b/institut/settings/base.py
@@ -28,6 +28,10 @@ environ.Env.read_env(os.path.join(BASE_DIR, ".env"))
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
 
+ALLOWED_HOSTS = env.list("ALLOWED_HOSTS", [])
+CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", [])
+
+
 # Application definition
 
 INSTALLED_APPS = [
diff --git a/institut/settings/production.py b/institut/settings/production.py
index 891c5754ec5c66751ba31ea9394e1fce663b39da..42e0957029db778b2bf13c518e08a4fa73bff174 100644
--- a/institut/settings/production.py
+++ b/institut/settings/production.py
@@ -2,7 +2,6 @@ from .base import *
 
 DEBUG = False
 SECRET_KEY = env.str("SECRET_KEY")
-ALLOWED_HOSTS = env.list("ALLOWED_HOSTS")
 
 try:
     from .local import *