diff --git a/apps/app/src/main.rs b/apps/app/src/main.rs
index 19e4192..0608d58 100644
--- a/apps/app/src/main.rs
+++ b/apps/app/src/main.rs
@@ -107,8 +107,18 @@ where
 
 fn build_session_key(cfg: &AppConfig) -> anyhow::Result<Key> {
     if let Some(secret) = cfg.env.get("APP_SESSION_SECRET") {
-        let bytes: Vec<u8> = secret.as_bytes().iter().cycle().take(64).copied().collect();
-        return Ok(Key::from(&bytes));
+        if secret.len() < 32 {
+            tracing::warn!(
+                secret_len = secret.len(),
+                "APP_SESSION_SECRET is too short (<32 bytes), using generated key instead"
+            );
+            return Ok(Key::generate());
+        }
+        use sha2::{Digest, Sha256};
+        let mut hasher = Sha256::new();
+        hasher.update(secret.as_bytes());
+        let hash = hasher.finalize();
+        return Ok(Key::from(hash.as_slice()));
     }
     Ok(Key::generate())
 }