diff --git a/.gitignore b/.gitignore
index 10f1650..aa7817e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@ Session.vim
 /.venv
 /.coverage
 /htmlcov
+/secret.txt
+/static
 
 __pycache__
 .*.swp
diff --git a/README.md b/README.md
index 51a3c07..2f80211 100644
--- a/README.md
+++ b/README.md
@@ -17,8 +17,20 @@ source .venv/bin/activate
 pip install -r requirements.txt
 ```
 
-Set the django ```SECRET_KEY``` and ```ALLOWED_HOSTS``` in [the settings file](etesync_server/settings.py).
-For more information on these please refer to the [django deployment checklist](https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/).
+Edit the [settings file](etesync_server/settings.py). Please refer to the
+[Django deployment
+checklist](https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/)
+for full instructions on how to configure a Django app for production. Some
+particular settings that should be edited are:
+  * [`ALLOWED_HOSTS`](https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-ALLOWED_HOSTS)
+    -- this is the list of host/domain names or addresses on which the app
+will be served
+  * [`DEBUG`](https://docs.djangoproject.com/en/1.11/ref/settings/#debug)
+    -- handy for debugging, set to `False` for production
+  * [`SECRET_KEY`](https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SECRET_KEY)
+    -- an ephemeral secret used for various cryptographic signing and token
+generation purposes. See below for how default configuration of
+`SECRET_KEY` works for this project.
 
 Now you can initialise our django app
 
@@ -50,6 +62,26 @@ That's it!
 
 Now all that's left is to open the EteSync app, add an account, and set your custom server address under the "advance" section.
 
+# `SECRET_KEY` and `secret.txt`
+
+The default configuration creates a file “`secret.txt`” in the project’s
+base directory, which is used as the value of the Django `SECRET_KEY`
+setting. You can revoke this key by deleting the `secret.txt` file and the
+next time the app is run, a new one will be generated. Make sure you keep
+the `secret.txt` file secret (don’t accidentally commit it to version
+control, exclude it from your backups, etc.). If you want to change to a
+more secure system for storing secrets, edit `etesync_server/settings.py`
+and implement your own method for setting `SECRET_KEY` (remove the line
+where it uses the `get_secret_from_file` function).  Read the Django docs
+for more information about the `SECRET_KEY` and its uses.
+
+# Updating
+
+Inside the virtualenv, run `pip install -U -r requirements.txt` to update
+dependencies to latest compatible versions of Django and
+djangorestframework (it will only update to latest patch level which should
+be API-compatible).
+
 # Supporting EteSync
 
 Please consider registering an account even if you self-host in order to support the development of EteSync, or help by spreading the word.
diff --git a/etesync_server/settings.py b/etesync_server/settings.py
index fd1ae53..fe65225 100644
--- a/etesync_server/settings.py
+++ b/etesync_server/settings.py
@@ -11,6 +11,7 @@ https://docs.djangoproject.com/en/1.10/ref/settings/
 """
 
 import os
+from .utils import get_secret_from_file
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -20,7 +21,9 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = ''
+# See secret.py for how this is generated; uses a file 'secret.txt' in the root
+# directory
+SECRET_KEY = get_secret_from_file(os.path.join(BASE_DIR, "secret.txt"))
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
diff --git a/etesync_server/utils.py b/etesync_server/utils.py
new file mode 100644
index 0000000..8f85f10
--- /dev/null
+++ b/etesync_server/utils.py
@@ -0,0 +1,11 @@
+from django.core.management import utils
+
+def get_secret_from_file(path):
+    try:
+        with open(path, "r") as f:
+            return f.read().strip()
+    except EnvironmentError:
+        with open(path, "w") as f:
+            secret_key = utils.get_random_secret_key()
+            f.write(secret_key)
+            return secret_key
diff --git a/requirements.txt b/requirements.txt
index 71ee320..78f52df 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
-Django==1.11.7
-djangorestframework==3.7.1
+Django>=1.11,<1.11.999
+djangorestframework>=3.7,<3.7.999
 drf-nested-routers==0.90.0
-pytz==2017.3
+pytz
 git+git://github.com/etesync/journal-manager@v0.4.1