diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..5a4962b
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,22 @@
+# telegram-form-worker — required secrets
+#
+# These are NOT loaded from this file at runtime. This file documents the
+# variable names and shapes; the actual values must be set as Cloudflare
+# Wrangler secrets (encrypted, never committed):
+#
+#   wrangler secret put BOT_TOKEN
+#   wrangler secret put CHAT_ID
+#   wrangler secret put ALLOWED_ORIGIN
+#
+# The Worker reads them at runtime as `env.BOT_TOKEN`, `env.CHAT_ID`,
+# `env.ALLOWED_ORIGIN`. If any is missing the Worker responds 500.
+
+# Telegram bot token from @BotFather. Format: <numeric-id>:<base64-ish-payload>.
+# IMPORTANT: never paste a real token here — keep this file as documentation only.
+BOT_TOKEN=000000000:AAEXAMPLE_REPLACE_WITH_BOT_FATHER_TOKEN
+
+# Telegram numeric chat id (positive for users, negative for groups/channels).
+CHAT_ID=000000000
+
+# Allowed CORS origin (the site that hosts the contact form).
+ALLOWED_ORIGIN=https://your-site.example
diff --git a/src/index.js b/src/index.js
index a1d4ae6..4ae9494 100644
--- a/src/index.js
+++ b/src/index.js
@@ -1,8 +1,14 @@
 export default {
   async fetch(request, env, ctx) {
-    const BOT_TOKEN = '8157141771:AAHxRzh3_kCS1amiPTaXw3FTYnN-GrBdt-g';
-    const CHAT_ID = '338930874';
-    const ALLOWED_ORIGIN = 'https://itpovar.ru';
+    // Secrets (set via `wrangler secret put BOT_TOKEN` etc.) — never commit values to source.
+    // See .env.example for the full list of required secrets and how to set them.
+    const BOT_TOKEN = env.BOT_TOKEN;
+    const CHAT_ID = env.CHAT_ID;
+    const ALLOWED_ORIGIN = env.ALLOWED_ORIGIN; // e.g. 'https://your-site.example'
+
+    if (!BOT_TOKEN || !CHAT_ID || !ALLOWED_ORIGIN) {
+      return new Response('Worker is not configured. Set BOT_TOKEN, CHAT_ID, ALLOWED_ORIGIN as Wrangler secrets.', { status: 500 });
+    }
 
     if (request.method === 'OPTIONS') {
       return new Response(null, {
@@ -21,7 +27,7 @@ export default {
 
     try {
       const requestData = await request.json();
-      
+
       const message = `
 🔥 Новая заявка с сайта!
 
@@ -63,4 +69,4 @@ ${requestData.message}
       });
     }
   }
-};
\ No newline at end of file
+};