diff --git a/TEMPLATE.env b/TEMPLATE.env
index 68ecc47..c519f42 100644
--- a/TEMPLATE.env
+++ b/TEMPLATE.env
@@ -26,9 +26,9 @@ SERVER_EMAIL=Shynet <noreply@shynet.example.com>
 # General Django settings
 DJANGO_SECRET_KEY=random_string
 
-# For better security, set these to your deployment's domain. Comma separated.
-ALLOWED_HOSTS=*
-CSRF_TRUSTED_ORIGINS=*
+# Set these to your deployment's domain. Both are comma separated, but CSRF_TRUSTED_ORIGINS also requires a scheme (e.g., `https://`).
+ALLOWED_HOSTS=example.com
+CSRF_TRUSTED_ORIGINS=https://example.com
 
 # Localization
 # https://docs.djangoproject.com/en/2.2/topics/i18n/