diff --git a/.gitignore b/.gitignore
index 63ff39e..9517a21 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,6 @@ npm-debug.log
 .env
 
 .elixir_ls/
+
+# Docker secrets directory (generated by `just init-secrets`)
+/secrets/
diff --git a/Justfile b/Justfile
index 907283f..b97eb14 100644
--- a/Justfile
+++ b/Justfile
@@ -84,4 +84,27 @@ regen-migrations migration_name commit_hash='':
 clean:
     mix clean
     rm -rf .elixir_ls
-    rm -rf _build
\ No newline at end of file
+    rm -rf _build
+
+# Production environment commands
+# ================================
+
+# Initialize secrets directory with generated secrets (only if not exists)
+init-secrets:
+  #!/usr/bin/env bash
+  set -euo pipefail
+  if [ -d "secrets" ]; then
+    echo "Secrets directory already exists. Skipping generation."
+    exit 0
+  fi
+  echo "Creating secrets directory and generating secrets..."
+  mkdir -p secrets
+  mix phx.gen.secret > secrets/secret_key_base.txt
+  mix phx.gen.secret > secrets/token_signing_secret.txt
+  openssl rand -base64 32 | tr -d '\n' > secrets/db_password.txt
+  touch secrets/oidc_client_secret.txt
+  echo "Secrets generated in ./secrets/"
+
+# Start production environment with Docker Compose
+start-prod: init-secrets
+  docker compose -f docker-compose.prod.yml up -d
\ No newline at end of file
diff --git a/README.md b/README.md
index 6db7980..d9569af 100644
--- a/README.md
+++ b/README.md
@@ -250,7 +250,7 @@ For actual production deployment:
    - Set `OIDC_BASE_URL` to your production OIDC provider
    - Configure proper Docker networks
 3. **Set up SSL/TLS** (e.g., via reverse proxy like Nginx/Traefik)
-4. **Use secure secrets management** (environment variables, Docker secrets, vault)
+4. **Use secure secrets management** — All sensitive environment variables support a `_FILE` suffix for Docker secrets (e.g., `SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base`). See `docker-compose.prod.yml` for an example setup with Docker secrets.
 5. **Configure database backups**
 
 
diff --git a/config/runtime.exs b/config/runtime.exs
index bd48cc9..9f41626 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -140,11 +140,10 @@ if config_env() == :prod do
   config :mv, MvWeb.Endpoint,
     url: [host: host, port: 443, scheme: "https"],
     http: [
-      # Enable IPv6 and bind on all interfaces.
-      # Set it to  {0, 0, 0, 0, 0, 0, 0, 1} for local network only access.
+      # Bind on all IPv4 interfaces.
+      # Use {0, 0, 0, 0, 0, 0, 0, 0} for IPv6, or {127, 0, 0, 1} for localhost only.
       # See the documentation on https://hexdocs.pm/bandit/Bandit.html#t:options/0
-      # for details about using IPv6 vs IPv4 and loopback vs public addresses.
-      ip: {0, 0, 0, 0, 0, 0, 0, 0},
+      ip: {0, 0, 0, 0},
       port: port
     ],
     secret_key_base: secret_key_base,
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 0bb2840..5cac351 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,22 +1,33 @@
 services:
   app:
-    image: git.local-it.org/local-it/mitgliederverwaltung:latest
+    image: mitgliederverwaltung:latest
     container_name: mv-prod-app
-    # Use host network for local testing to access localhost:8080 (Rauthy)
-    # In real production, remove this and use external OIDC provider
-    network_mode: host
+    ports:
+      - "4001:4001"
     environment:
-      DATABASE_URL: "ecto://postgres:postgres@localhost:5001/mv_prod"
-      SECRET_KEY_BASE: "${SECRET_KEY_BASE}"
-      TOKEN_SIGNING_SECRET: "${TOKEN_SIGNING_SECRET}"
-      PHX_HOST: "${PHX_HOST}"
+      # Database configuration using separate variables
+      # Use Docker service name for internal networking
+      DATABASE_HOST: "db-prod"
+      DATABASE_PORT: "5432"
+      DATABASE_USER: "postgres"
+      DATABASE_NAME: "mv_prod"
+      DATABASE_PASSWORD_FILE: "/run/secrets/db_password"
+      # Phoenix secrets via Docker secrets
+      SECRET_KEY_BASE_FILE: "/run/secrets/secret_key_base"
+      TOKEN_SIGNING_SECRET_FILE: "/run/secrets/token_signing_secret"
+      PHX_HOST: "${PHX_HOST:-localhost}"
       PORT: "4001"
       PHX_SERVER: "true"
-      # Rauthy OIDC config - uses localhost because of host network mode
+      # Rauthy OIDC config - use host.docker.internal to reach host services
       OIDC_CLIENT_ID: "mv"
-      OIDC_BASE_URL: "http://localhost:8080/auth/v1"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET:-}"
+      OIDC_BASE_URL: "http://host.docker.internal:8080/auth/v1"
+      OIDC_CLIENT_SECRET_FILE: "/run/secrets/oidc_client_secret"
       OIDC_REDIRECT_URI: "http://localhost:4001/auth/user/rauthy/callback"
+    secrets:
+      - db_password
+      - secret_key_base
+      - token_signing_secret
+      - oidc_client_secret
     depends_on:
       - db-prod
     restart: unless-stopped
@@ -26,13 +37,25 @@ services:
     container_name: mv-prod-db
     environment:
       POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
       POSTGRES_DB: mv_prod
+    secrets:
+      - db_password
     volumes:
       - postgres_data_prod:/var/lib/postgresql/data
     ports:
       - "5001:5432"
     restart: unless-stopped
 
+secrets:
+  db_password:
+    file: ./secrets/db_password.txt
+  secret_key_base:
+    file: ./secrets/secret_key_base.txt
+  token_signing_secret:
+    file: ./secrets/token_signing_secret.txt
+  oidc_client_secret:
+    file: ./secrets/oidc_client_secret.txt
+
 volumes:
   postgres_data_prod: