diff --git a/sample-configs/application.properties b/sample-configs/application.properties
index 9bf3f1b..7d07dab 100644
--- a/sample-configs/application.properties
+++ b/sample-configs/application.properties
@@ -1,33 +1,18 @@
-# --- Database (hardcoded plaintext credentials) ---
 spring.datasource.url=jdbc:postgresql://db.example.com:5432/appdb
 spring.datasource.username=app_user
-spring.datasource.password=SuperSecretPassword123!
-
-# --- Actuator (exposes many sensitive management endpoints) ---
-management.endpoints.web.exposure.include=*
-management.endpoint.health.show-details=always
+spring.datasource.password=${DB_PASSWORD}
+management.endpoints.web.exposure.include=health,info
+management.endpoint.health.show-details=when-authorized
 management.endpoints.web.base-path=/actuator
-
-# --- Logging (debug enabled; may log secrets) ---
-logging.level.root=DEBUG
+logging.level.root=INFO
 logging.file.name=/var/log/myapp/app.log
-
-# --- OAuth / JWT (hardcoded secret) ---
 security.oauth2.client.client-id=my-client
-security.oauth2.client.client-secret=DefinitelyNotSafeSecret
-jwt.secret=ultrasecretjwtkeythatshouldntbecommitted
-
-# --- CORS (too permissive) ---
-app.cors.allowed-origins=*
-
-# --- File uploads/temp dir accessible on disk ---
-file.upload-dir=/tmp/uploads
-
-# --- SMTP (plain credentials) ---
+security.oauth2.client.client-secret=${OAUTH2_CLIENT_SECRET}
+jwt.secret=${JWT_SECRET}
+app.cors.allowed-origins=https://mytrusteddomain.com
+file.upload-dir=${FILE_UPLOAD_DIR}
 spring.mail.host=smtp.example.com
 spring.mail.username=noreply@example.com
-spring.mail.password=MailPassw0rd!
-
-# --- Feature flags enabled for debugging / admin ---
-app.debug=true
-app.admin.open=true
+spring.mail.password=${MAIL_PASSWORD}
+app.debug=false
+app.admin.open=false
\ No newline at end of file