diff --git a/backend/.env.example b/backend/.env.example
index 3de5985..befc4d4 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -57,8 +57,8 @@ USE_S3=False
 AWS_S3_ENDPOINT_URL=https://s3.vontor.cz
 AWS_S3_CUSTOM_DOMAIN=s3.vontor.cz
 AWS_STORAGE_BUCKET_NAME=vontor-cz
-AWS_ACCESS_KEY_ID=pO70oxXGV4R6OSHxNmzv
-AWS_SECRET_ACCESS_KEY=1gY19XzWBOWiIkDKvCQF8Xkc72mFX4iILkBBV0ML
+AWS_ACCESS_KEY_ID=xxx
+AWS_SECRET_ACCESS_KEY=xxx
 
 # AWS S3 (swap in for production — clear AWS_S3_ENDPOINT_URL)
 # AWS_STORAGE_BUCKET_NAME=my-bucket
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 691589d..cd6c9e1 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -18,6 +18,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
 COPY . .
 
 # Trust Windows/corporate root CAs if present (optional, no-op when certs/ is absent)
@@ -26,6 +28,4 @@ RUN test -f certs/windows-ca-bundle.crt \
     && update-ca-certificates \
     || true
 
-RUN pip install --no-cache-dir -r requirements.txt
-
 EXPOSE 8000
diff --git a/backend/vontor_cz/turnstile.py b/backend/vontor_cz/turnstile.py
index 205ab22..f5f6c58 100644
--- a/backend/vontor_cz/turnstile.py
+++ b/backend/vontor_cz/turnstile.py
@@ -11,8 +11,13 @@ def verify_turnstile(token: str, remote_ip: str | None = None) -> bool:
     """
     Verify a Cloudflare Turnstile token against the siteverify API.
     Returns True if valid, False otherwise.
-    If CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured, skips verification (dev bypass).
+    Skips verification when SSL is disabled (non-HTTPS env) or when
+    CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured.
     """
+    if not getattr(settings, "USE_SSL", False):
+        logger.debug("Turnstile: SSL disabled, skipping verification.")
+        return True
+
     secret = getattr(settings, "CLOUDFLARE_TURNSTILE_SECRET_KEY", "")
     if not secret:
         logger.debug("Turnstile: no secret key configured, skipping verification.")
diff --git a/frontend/.env.example b/frontend/.env.example
index 6c8de13..c11d6e4 100644
--- a/frontend/.env.example
+++ b/frontend/.env.example
@@ -9,3 +9,6 @@ VITE_BACKEND_WS_URL="ws://localhost:8000/"
 # Auth endpoints (defaults match Django routes; only override if you changed them).
 # VITE_API_REFRESH_URL=/api/token/refresh/
 # VITE_LOGIN_PATH=/social/login
+
+VITE_TURNSTILE_SITE_KEY="xxx"
+VITE_USE_TURNSTILE=true
\ No newline at end of file