diff --git a/bugsink/conf_templates/docker.py.template b/bugsink/conf_templates/docker.py.template
index ff70756..6e6f425 100644
--- a/bugsink/conf_templates/docker.py.template
+++ b/bugsink/conf_templates/docker.py.template
@@ -1,10 +1,11 @@
+import os
+
 from bugsink.settings.default import *  # noqa
 from bugsink.settings.default import DATABASES
 
 DEBUG = True
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "q47jh!sj-y4+6i4_fj*tyj1ej2&wl6st+@^ycgs7kl81dg^33h"
+SECRET_KEY = os.getenv("SECRET_KEY")
 
 # Alternatively, pass the SECRET_KEY as an environment variable. (although that has security implications too!)
 # i.e. those may leak in shared server setups.
diff --git a/bugsink/scripts/server_unified.py b/bugsink/scripts/server_unified.py
index fe76e6d..ea756e6 100644
--- a/bugsink/scripts/server_unified.py
+++ b/bugsink/scripts/server_unified.py
@@ -22,6 +22,8 @@ class ParentProcess:
         """
         print("Server-unified starting with pid", os.getpid())
 
+        self.pre_start()
+
         self.children = []
 
         # I think Docker will send a SIGTERM to the main process when it wants to stop the container; SIGINT is for
@@ -36,6 +38,22 @@ class ParentProcess:
             for child in self.children:
                 child.wait()
 
+    def pre_start(self):
+        # I'd rather pull this out of server_unified.py, but I don't know how to do that in a way that works with
+        # Docker: The recommended way of running CMD in a Dockerfile is to use the exec form, which doesn't allow for
+        # running a script that does some setup before starting the main process, i.e. doesn't allow for '&&').
+        # Recommended here means: warning about signal-handling if you choose the other form.
+        #
+        # I also don't want to introduce further arg-parsing (distinguishing between serial and parallel start) so here
+        # we have it.
+        if sys.argv[1:2] == ["NO_DEPLOY_CHECK"]:
+            check = subprocess.run(["bugsink-manage", "check", "--fail-level", "WARNING"])
+        else:
+            check = subprocess.run(["bugsink-manage", "check", "--deploy", "--fail-level", "WARNING"])
+        if check.returncode != 0:
+            # print("Server-unified failed to start because 'bugsink-manage check' failed.")  superfluous
+            sys.exit(1)
+
     def start_children(self):
         # Start the server
         # Leaving stdout and stderr as None will make the output of the child processes be passed as our own.
@@ -74,6 +92,9 @@ class ParentProcess:
         # We don't want to pass the first argument, as that is the script name
         args = sys.argv[1:]
 
+        if args[:1] == ["NO_DEPLOY_CHECK"]:
+            args = args[1:]
+
         result = [[]]
         for arg in args:
             if arg == "UNIFIED_WITH":
diff --git a/bugsink/settings/default.py b/bugsink/settings/default.py
index ff858c7..a7fad68 100644
--- a/bugsink/settings/default.py
+++ b/bugsink/settings/default.py
@@ -205,6 +205,21 @@ WHITENOISE_USE_FINDERS = True
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
 
+SILENCED_SYSTEM_CHECKS = [
+    # in the recommended setup this is done at the proxy level; in Docker telling people about it is a TODO
+    "security.W004",  # SECURE_HSTS_SECONDS
+
+    # in the recommended setup this is done at the proxy level; in Docker telling people about it is a TODO
+    "security.W008",  # SECURE_SSL_REDIRECT
+
+    # TODO correct this for the recommended setup; in Docker telling people about it is a TODO
+    "security.W012",  # SESSION_COOKIE_SECURE
+
+    # TODO correct this for the recommended setup; in Docker telling people about it is a TODO
+    "security.W016",  # CSRF_COOKIE_SECURE
+]
+
+
 LOGGING = deepcopy(DEFAULT_LOGGING)
 
 if I_AM_RUNNING != "TEST":