diff --git a/.env.sample b/.env.sample
index c6ba74f..47ad531 100644
--- a/.env.sample
+++ b/.env.sample
@@ -9,6 +9,7 @@ DOMAIN=hedgedoc.example.com
 LETS_ENCRYPT_ENV=production
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SESSION_SECRET_VERSION=v1
 
 COMPOSE_FILE="compose.yml"
 
@@ -34,6 +35,7 @@ COMPOSE_FILE="compose.yml"
 # CMD_ALLOW_ANONYMOUS_EDITS=false
 # CMD_ALLOW_EMAIL_REGISTER=true
 # CMD_ALLOW_FREEURL=false
+# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
 # CMD_ALLOW_GRAVATAR=true
 # CMD_ALLOW_ORIGIN=localhost
 # CMD_COOKIE_POLICY=lax
diff --git a/compose.yml b/compose.yml
index 02bfc7f..19a79ec 100644
--- a/compose.yml
+++ b/compose.yml
@@ -16,6 +16,7 @@ services:
       - CMD_ALLOW_ANONYMOUS_EDITS
       - CMD_ALLOW_EMAIL_REGISTER
       - CMD_ALLOW_FREEURL
+      - CMD_REQUIRE_FREEURL_AUTHENTICATION
       - CMD_ALLOW_GRAVATAR
       - CMD_ALLOW_ORIGIN
       - CMD_COOKIE_POLICY
@@ -26,6 +27,7 @@ services:
       - CMD_DEFAULT_PERMISSION
       - CMD_EMAIL
       - CMD_SESSION_LIFE
+      - CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
       - DOCUMENT_MAX_LENGTH
     depends_on:
       - db
@@ -36,6 +38,7 @@ services:
       - codimd_uploads:/hedgedoc/public/uploads
     secrets:
       - db_password
+      - session_secret
     entrypoint: /docker-entrypoint.sh
     configs:
       - source: entrypoint_conf
@@ -100,6 +103,9 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  session_secret:
+    external: true
+    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
 networks:
   proxy:
     external: true
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 6692448..c586369 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -24,6 +24,7 @@ file_env() {
 load_vars() {
   file_env "CMD_DB_PASSWORD"
   file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_SESSION_SECRET"
 }
 
 main() {