diff --git a/conservancy/settings/prod.py b/conservancy/settings/prod.py
new file mode 100644
index 0000000000000000000000000000000000000000..e1c97300eb43fcf1284739c9200f046378f38fe4
--- /dev/null
+++ b/conservancy/settings/prod.py
@@ -0,0 +1,41 @@
+import json
+
+from django.core.exceptions import ImproperlyConfigured
+
+from .base import *
+
+DEBUG = False
+ALLOWED_HOSTS = ['www.sfconservancy.org', 'sfconservancy.org']
+
+FORCE_CANONICAL_HOSTNAME = 'sfconservancy.org'
+
+ADMINS = [
+    ('Bradley M. Kuhn', 'sysadmin@sfconservancy.org'),
+    ('Ben Sturmfels', 'sysadmin+conservancy@sturm.com.au'),
+]
+
+MANAGERS = [
+    ('Bradley M. Kuhn', 'sysadmin@sfconservancy.org'),
+]
+
+DATABASES = {
+    'default': {
+        'NAME': '/var/lib/www/database/conservancy-website.sqlite3',
+        'ENGINE': 'django.db.backends.sqlite3',
+    }
+}
+
+# Apache/mod_wsgi doesn't make it straightforward to pass environment variables
+# to Django (can't use the Apache config).
+with open(BASE_DIR / 'secrets.json') as f:
+    secrets = json.load(f)
+
+def get_secret(secrets, setting):
+    try:
+        return secrets[setting]
+    except KeyError:
+        raise ImproperlyConfigured(f'Missing secret \'{setting}\'')
+
+SECRET_KEY = get_secret(secrets, 'SECRET_KEY')
+
+SESSION_COOKIE_SECURE = True