diff --git a/game/views.py b/game/views.py
index 3c434a4..f6632f0 100644
--- a/game/views.py
+++ b/game/views.py
@@ -305,22 +305,6 @@ class GameDetailView(LoginRequiredMixin, DetailView):
         )
 
 
-class YoutubeLoginView(LoginRequiredMixin, View):
-    def get(self, request):
-        flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
-            settings.YOUTUBE_OAUTH_SECRETS,
-            ["https://www.googleapis.com/auth/youtube.force-ssl"],
-        )
-        flow.redirect_uri = "https://localhost/youtube_callback/"
-        auth_url, state = flow.authorization_url(
-            access_type="offline",
-            include_granted_scopes="true",
-            prompt="consent",
-        )
-        self.request.session["state"] = state
-        return redirect(auth_url)
-
-
 class YoutubeCallbackView(LoginRequiredMixin, View):
     def get(self, request):
         if err := request.GET.get("error"):
@@ -335,7 +319,7 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
             ["https://www.googleapis.com/auth/youtube.force-ssl"],
             state=state,
         )
-        flow.redirect_uri = "https://localhost/youtube_callback/"
+        flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")
 
         flow.fetch_token(code=request.GET.get("code"))
 
@@ -358,6 +342,22 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
         return redirect("/")
 
 
+class YoutubeLoginView(LoginRequiredMixin, View):
+    def get(self, request):
+        flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
+            settings.YOUTUBE_OAUTH_SECRETS,
+            ["https://www.googleapis.com/auth/youtube.force-ssl"],
+        )
+        flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")
+        auth_url, state = flow.authorization_url(
+            access_type="offline",
+            include_granted_scopes="true",
+            prompt="consent",
+        )
+        self.request.session["state"] = state
+        return redirect(auth_url)
+
+
 class GroupClearBlacklistView(OwnerFilterMixin, SingleObjectMixin, View):
     model = models.Group
 
diff --git a/musik/settings.py b/musik/settings.py
index 0471604..f4aac85 100644
--- a/musik/settings.py
+++ b/musik/settings.py
@@ -21,7 +21,10 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_="
+SECRET_KEY = os.getenv(
+    "MUSIK_SECRET_KEY",
+    "django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_=",
+)
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = "DEBUG" in os.environ
@@ -29,6 +32,8 @@ DEBUG = "DEBUG" in os.environ
 HOST = os.getenv("MUSIK_HOST", "localhost")
 ALLOWED_HOSTS = [HOST]
 CSRF_TRUSTED_ORIGINS = [f"https://{HOST}"]
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
 
 # Application definition