diff --git a/charts/dify/README.md b/charts/dify/README.md
index 68e06d8..fbf7f54 100644
--- a/charts/dify/README.md
+++ b/charts/dify/README.md
@@ -48,6 +48,22 @@ The minimal configure provided above is sufficient for experiment but **without
 You **must do**  the following extra work before put it into production!!
 
 
+### Protect Sensitive info with secret
+Environment variable like `SECRET_KEY` could be harmful if leaked, it is adviced to protect them using secret or csi volume.
+
+The example of using secret is like 
+```
+global:
+  extraBackendEnvs:
+  - name: SECRET_KEY
+    valueFrom:
+      secretKeyRef:
+        name: dify
+        key: SECRET_KEY
+```
+
+Read more: https://kubernetes.io/docs/concepts/security/secrets-good-practices/
+
 ### External postgresql
 
 1. set the `postgresql.embedded` to `false`
diff --git a/charts/dify/values.yaml b/charts/dify/values.yaml
index ced6131..5eeb145 100644
--- a/charts/dify/values.yaml
+++ b/charts/dify/values.yaml
@@ -19,17 +19,23 @@ global:
   # * frontend
   # * api
   # * worker
-  extraEnvs:
-  # SECRET_KEY is a must, check https://docs.dify.ai/getting-started/install-self-hosted/environments#secret_key for detail
-  - name: SECRET_KEY
-    value: "PleaseReplaceThisToYourSecret"
+  extraEnvs: []
 
   # the following extra configs would be injected into:
   # * api
   # * worker
-  extraBackendEnvs: []
+  extraBackendEnvs:
+  # SECRET_KEY is a must, check https://docs.dify.ai/getting-started/install-self-hosted/environments#secret_key for detail
+  # read more on the readme page for secret ref
+  - name: SECRET_KEY
+    value: "PleaseReplaceThisToYourSecretOrUse"
+  # use secretRef to protect your secret
   # - name: SECRET_KEY
-  #   value: xxx
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: dify
+  #       key: SECRET_KEY
+  
 
 ingress:
   enabled: false