diff --git a/Dockerfile b/Dockerfile
index 1b6a746..26d3e17 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -35,14 +35,17 @@ RUN apk add --no-cache \
 # Copy binary from builder
 COPY --from=builder /pixad /usr/local/bin/pixad
 
-# Create non-root user and data directory
+# Create non-root user, config directory, and data directory
 RUN adduser -D -H -s /sbin/nologin pixad && \
-    mkdir -p /var/lib/pixa && \
+    mkdir -p /var/lib/pixa /etc/pixa && \
     chown pixad:pixad /var/lib/pixa
 
+# Copy default config (edit signing_key before use)
+COPY config.example.yml /etc/pixa/config.yml
+
 USER pixad
 WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
-ENTRYPOINT ["/usr/local/bin/pixad"]
+ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]
diff --git a/Makefile b/Makefile
index 25942f9..b7e0b05 100644
--- a/Makefile
+++ b/Makefile
@@ -49,7 +49,9 @@ docker-test:
 
 # Run local dev server in Docker
 devserver: docker devserver-stop
-	docker run -d --name pixad-dev -p 8080:8080 pixad:latest
+	docker run -d --name pixad-dev -p 8080:8080 \
+		-v $(CURDIR)/config.dev.yml:/etc/pixa/config.yml:ro \
+		pixad:latest
 	@echo "pixad running at http://localhost:8080"
 
 # Stop dev server
diff --git a/config.dev.yml b/config.dev.yml
new file mode 100644
index 0000000..324bdf5
--- /dev/null
+++ b/config.dev.yml
@@ -0,0 +1,7 @@
+# Development config for local Docker testing
+signing_key: "dev-signing-key-minimum-32-chars!"
+debug: true
+allow_http: true
+whitelist_hosts:
+  - localhost
+  - s3.sneak.cloud
diff --git a/config.example.yml b/config.example.yml
new file mode 100644
index 0000000..7b4d42b
--- /dev/null
+++ b/config.example.yml
@@ -0,0 +1,13 @@
+# Pixa configuration
+#
+# REQUIRED: Set signing_key before starting the server.
+# Generate with: openssl rand -base64 32
+
+signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
+
+whitelist_hosts:
+  - s3.sneak.cloud
+  - static.sneak.cloud
+  - sneak.berlin
+  - github.com
+  - user-images.githubusercontent.com
diff --git a/internal/config/config.go b/internal/config/config.go
index bd8ff4d..a42f442 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -84,9 +84,29 @@ func New(_ fx.Lifecycle, params Params) (*Config, error) {
 		params.Logger.EnableDebugLogging()
 	}
 
+	// Validate required configuration
+	if err := c.validate(); err != nil {
+		return nil, err
+	}
+
 	return c, nil
 }
 
+// validate checks that all required configuration values are set.
+func (c *Config) validate() error {
+	if c.SigningKey == "" {
+		return fmt.Errorf("signing_key is required")
+	}
+
+	// Minimum key length for security (32 bytes = 256 bits)
+	const minKeyLength = 32
+	if len(c.SigningKey) < minKeyLength {
+		return fmt.Errorf("signing_key must be at least %d characters", minKeyLength)
+	}
+
+	return nil
+}
+
 // loadConfigFile loads configuration from PIXA_CONFIG_PATH env var or standard locations.
 func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, error) {
 	// Check for explicit config path from environment