diff --git a/apibase/settings.py b/apibase/settings.py
index 635959d..7e5cc9d 100644
--- a/apibase/settings.py
+++ b/apibase/settings.py
@@ -15,6 +15,7 @@ from pathlib import Path
 import datetime
 from rest_framework.settings import api_settings
 from decouple import config
+from django.core.management.utils import get_random_secret_key
 from django.utils.log import DEFAULT_LOGGING
 import logging.config
 
@@ -26,13 +27,18 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # See https://docs.djangoproject.com/en/5.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = config("SECRET_KEY")
+SECRET_KEY = config("SECRET_KEY", default=get_random_secret_key())
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = config("DEBUG", cast=bool)
 
 
-ALLOWED_HOSTS = str(config("ALLOWED_HOSTS", cast=str)).split(" ")
+ALLOWED_HOSTS = []
+
+# Add explicit hosts from environment
+env_hosts = config("ALLOWED_HOSTS", default="").split()
+ALLOWED_HOSTS.extend(env_hosts)
+
 if DEBUG:
     INTERNAL_IPS = [
         "127.0.0.1",
@@ -143,16 +149,28 @@ else:
     }
 
 
-if not DEBUG:
-    CACHES = {
-        "default": {
-            "BACKEND": "django_redis.cache.RedisCache",
-            "LOCATION": "redis://redis:6379/",
-            "OPTIONS": {
-                "CLIENT_CLASS": "django_redis.client.DefaultClient",
-            },
-        }
+# More robust caching configuration
+CACHES = {
+    "default": {
+        "BACKEND": (
+            "django_redis.cache.RedisCache"
+            if not DEBUG
+            else "django.core.cache.backends.locmem.LocMemCache"
+        ),
+        "LOCATION": (
+            config("REDIS_URL", default="redis://redis:6379/") if not DEBUG else ""
+        ),
+        "OPTIONS": (
+            {
+                "CLIENT_CLASS": (
+                    "django_redis.client.DefaultClient" if not DEBUG else None
+                ),
+            }
+            if not DEBUG
+            else {}
+        ),
     }
+}
 
 
 # Password validation
@@ -271,7 +289,7 @@ STORAGES = {
 
 LOGGING_CONFIG = None
 
-LOGLEVEL = os.environ.get("LOGLEVEL", "warning").upper()
+LOGLEVEL = os.environ.get("LOGLEVEL", "WARNING").upper()
 
 logging.config.dictConfig(
     {
@@ -313,6 +331,11 @@ logging.config.dictConfig(
                 "propagate": False,
             },
             "django.server": DEFAULT_LOGGING["loggers"]["django.server"],
+            "django": {
+                "level": LOGLEVEL,
+                "handlers": ["console"],
+                "propagate": False,
+            },
         },
     }
 )
@@ -322,12 +345,16 @@ if not DEBUG:
     SECURE_SSL_REDIRECT = config("DJANGO_SECURE_SSL_REDIRECT", cast=bool)
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
-    SECURE_HSTS_SECONDS = config("SECURE_HSTS_SECONDS", cast=int)
+    SECURE_HSTS_SECONDS = config("SECURE_HSTS_SECONDS", default=3600, cast=int)
     SECURE_HSTS_INCLUDE_SUBDOMAINS = True
     SECURE_HSTS_PRELOAD = True
     CSRF_TRUSTED_ORIGINS = [config("CSRF_TRUSTED_ORIGINS")]
     CSRF_COOKIE_DOMAIN = config("CSRF_COOKIE_DOMAIN")
     SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+    # Additional security headers
+    SECURE_BROWSER_XSS_FILTER = True
+    X_FRAME_OPTIONS = "DENY"
+    SECURE_CONTENT_TYPE_NOSNIFF = True
 
 
 EMAIL_BACKEND = (