diff --git a/.env.production.sample b/.env.production.sample
index b68ba523cd26c880faa708c77e120a4d518062c2..a3da10b9794808750028640ec286f8fb00b1826b 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -14,6 +14,8 @@ LOCAL_DOMAIN=example.com
 LOCAL_HTTPS=true
 
 # Application secrets
+# These are arbitrary strings. They should be long and cryptographically secure.
+# For Docker, `docker-compose run --rm web rake secret` will generate them.
 PAPERCLIP_SECRET=
 SECRET_KEY_BASE=