diff --git a/services/web/app/src/infrastructure/Server.js b/services/web/app/src/infrastructure/Server.js
index 843bbed3a0..4738593229 100644
--- a/services/web/app/src/infrastructure/Server.js
+++ b/services/web/app/src/infrastructure/Server.js
@@ -154,6 +154,10 @@ if (Settings.useHttpPermissionsPolicy) {
 
 RedirectManager.apply(webRouter)
 
+if (!Settings.security.sessionSecret) {
+  throw new Error('Session secret is not set - refusing to start server')
+}
+
 webRouter.use(cookieParser(Settings.security.sessionSecret))
 SessionAutostartMiddleware.applyInitialMiddleware(webRouter)
 Modules.registerMiddleware(webRouter, 'sessionMiddleware', {
diff --git a/services/web/config/settings.defaults.js b/services/web/config/settings.defaults.js
index f1d679394a..d18a09155b 100644
--- a/services/web/config/settings.defaults.js
+++ b/services/web/config/settings.defaults.js
@@ -43,7 +43,7 @@ if (httpAuthUser && httpAuthPass) {
   httpAuthUsers[httpAuthUser] = httpAuthPass
 }
 
-const sessionSecret = process.env.SESSION_SECRET || 'secret-please-change'
+const sessionSecret = process.env.SESSION_SECRET
 
 const intFromEnv = function (name, defaultValue) {
   if (