diff --git a/NEWS.md b/NEWS.md
index c7b61d0744..44f60e1eb0 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -2,7 +2,8 @@ Development
 -----------
 
 ### NOTICES
-- None yet
+- For increased security, it's recommended to update the config to include a `secret_key_base`. You can generate a
+  suitable random key by using `bundle exec rake secret`
 
 ### Features
 * Visualizations backup revamp [#14698](https://github.com/CartoDB/cartodb/issues/14698)
diff --git a/config/app_config.yml.sample b/config/app_config.yml.sample
index c4347d8f13..e3f39a71fb 100644
--- a/config/app_config.yml.sample
+++ b/config/app_config.yml.sample
@@ -16,6 +16,8 @@ defaults: &defaults
   http_port:           3000 # nil|integer. HTTP port to use when building urls. Leave empty to use default (80)
   https_port:          # nil|integer. HTTPS port to use when building urls. Leave empty to use default (443)
   secret_token:       '71c2b25921b84a1cb21c71503ab8fb23'
+  # It's recommended to generate a new secret_key_base for each installation using `bundle exec rake secret`
+  secret_key_base:    '65903fa751affcdd71a9eb09308bcb404c50c8df03414db849ea22fbe8d4aae9ff344f6594630eb9c8367b4fd8ed2211d0342a49df473dccc27ae0be120b25ab'
   account_host:       'localhost.lan:3000'
   # Here you can define other hosts different to account_host that also will be CORS enabled
   # cors_enabled_hosts:
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index ab0b90c925..2fb8b7b7b2 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -5,3 +5,4 @@
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
 CartoDB::Application.config.secret_token = Cartodb.config[:secret_token]
+CartoDB::Application.config.secret_key_base = Cartodb.config[:secret_key_base]