diff --git a/app/app.py b/app/app.py
index 489a92f..0613c06 100644
--- a/app/app.py
+++ b/app/app.py
@@ -1,6 +1,6 @@
+import hashlib
 import json
 import os
-import secrets
 import subprocess
 from functools import wraps
 from pathlib import Path
@@ -9,7 +9,12 @@ from flask import (Flask, jsonify, redirect, render_template, request,
                    send_file, session, url_for)
 
 app = Flask(__name__)
-app.secret_key = os.environ.get("SECRET_KEY", secrets.token_hex(32))
+
+# Stable secret key: derive from username+password so it survives restarts
+# but changes when credentials change
+_username = os.environ.get("WEBUI_USERNAME", "admin")
+_password = os.environ.get("WEBUI_PASSWORD", "admin123")
+app.secret_key = hashlib.sha256(f"{_username}:{_password}:proxy-secret".encode()).hexdigest()
 
 CONFIG_FILE = "/data/proxy_config.json"
 NGINX_CONF_DIR = "/etc/nginx/conf.d"