diff --git a/.env.example b/.env.example
index 3b4492e..44a6e15 100644
--- a/.env.example
+++ b/.env.example
@@ -31,6 +31,10 @@ LLM_HOST=localhost
 # Docker Compose overrides this to http://searxng:8080 for in-network access.
 SEARXNG_INSTANCE=http://localhost:8080
 
+# Optional SearXNG cookie/CSRF secret. If blank, Docker generates one on first boot
+# and stores it in the searxng-data volume.
+# SEARXNG_SECRET=
+
 # ============================================================
 # Database
 # ============================================================
diff --git a/README.md b/README.md
index 60db276..ec62147 100644
--- a/README.md
+++ b/README.md
@@ -170,6 +170,7 @@ Key settings:
 | `LLM_HOSTS` | -- | Comma-separated list for model discovery |
 | `OPENAI_API_KEY` | -- | Optional OpenAI key. Prefer adding providers in the app unless pre-seeding. |
 | `SEARXNG_INSTANCE` | `http://localhost:8080` | SearXNG URL. Docker overrides this to `http://searxng:8080`. |
+| `SEARXNG_SECRET` | generated on first Docker boot | Optional SearXNG cookie/CSRF secret. Leave blank unless you need to pin it. |
 | `AUTH_ENABLED` | `true` | Enable/disable login |
 | `LOCALHOST_BYPASS` | `false` | Development-only auth bypass for loopback requests. Keep false for shared/network deployments. |
 | `DATABASE_URL` | `sqlite:///./data/app.db` | Database connection string |
diff --git a/config/searxng/settings.yml b/config/searxng/settings.yml
index 04eb5b5..dd1dc84 100644
--- a/config/searxng/settings.yml
+++ b/config/searxng/settings.yml
@@ -1,7 +1,7 @@
 use_default_settings: true
 
 server:
-  secret_key: "odysseus-local-searxng-json-2026-05-30"
+  secret_key: "__SEARXNG_SECRET__"
 
 search:
   formats:
diff --git a/docker-compose.yml b/docker-compose.yml
index 125b6a8..2d8e308 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -51,13 +51,27 @@ services:
 
   searxng:
     image: searxng/searxng:latest
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        set -eu
+        if [ ! -s /etc/searxng/settings.yml ] || grep -q 'odysseus-local-searxng-json-2026-05-30\|__SEARXNG_SECRET__' /etc/searxng/settings.yml; then
+          secret="$${SEARXNG_SECRET:-}"
+          if [ -z "$$secret" ]; then
+            secret="$$(python -c 'import secrets; print(secrets.token_urlsafe(48))')"
+          fi
+          sed "s|__SEARXNG_SECRET__|$$secret|g" /tmp/searxng-settings.yml.template > /etc/searxng/settings.yml
+        fi
+        exec /usr/local/searxng/entrypoint.sh
     ports:
       - "127.0.0.1:8080:8080"
     volumes:
       - searxng-data:/etc/searxng
-      - ./config/searxng/settings.yml:/etc/searxng/settings.yml
+      - ./config/searxng/settings.yml:/tmp/searxng-settings.yml.template:ro
     environment:
       - SEARXNG_BASE_URL=http://localhost:8080/
+      - SEARXNG_SECRET=${SEARXNG_SECRET:-}
     healthcheck:
       test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8080/', timeout=5).read(1)\""]
       interval: 5s