diff --git a/Makefile b/Makefile
index 47ce9fcd7..aaadfefa7 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@ ACTIVATE?=. ${VENV}/bin/activate;
 VIRTUALENV_PYZ=etc/thirdparty/virtualenv.pyz
 # Do not depend on Python to generate the SECRET_KEY
 GET_SECRET_KEY=`base64 /dev/urandom | head -c50`
+GET_ALTCHA_HMAC_KEY=`head -c 32 /dev/urandom | xxd -p -c 32`
 # Customize with `$ make envfile ENV_FILE=/etc/vulnerablecode/.env`
 ENV_FILE=.env
 # Customize with `$ make postgres VULNERABLECODE_DB_PASSWORD=YOUR_PASSWORD`
@@ -63,6 +64,7 @@ envfile:
 	@if test -f ${ENV_FILE}; then echo ".env file exists already"; exit 1; fi
 	@mkdir -p $(shell dirname ${ENV_FILE}) && touch ${ENV_FILE}
 	@echo SECRET_KEY=\"${GET_SECRET_KEY}\" > ${ENV_FILE}
+	@echo ALTCHA_HMAC_KEY=\"${GET_ALTCHA_HMAC_KEY}\" >> ${ENV_FILE}
 
 isort:
 	@echo "-> Apply isort changes to ensure proper imports ordering"
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
index 3e5c5341f..05a3d0fa8 100644
--- a/vulnerablecode/settings.py
+++ b/vulnerablecode/settings.py
@@ -38,6 +38,10 @@
 
 CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", default=[])
 
+# Altcha 32-byte hexadecimal key
+
+ALTCHA_HMAC_KEY = env.str("ALTCHA_HMAC_KEY")
+
 # SECURITY WARNING: do not run with debug turned on in production
 DEBUG = env.bool("VULNERABLECODE_DEBUG", default=False)