diff --git a/config/config.example.yml b/config/config.example.yml
index c591eb6a..2da6e55e 100644
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -455,13 +455,17 @@ jobs:
 #use_pubsub_feeds: false
 
 ##
-## HMAC signing key used for CSRF tokens and pubsub
+## HMAC signing key used for CSRF tokens, cookies and pubsub
 ## subscriptions verification.
 ##
+## Note: This parameter is mandatory and should be a random string.
+## Such random string can be generated on linux with the following
+## command: `pwdgen 20 1`
+##
 ## Accepted values: a string
 ## Default: <none>
 ##
-#hmac_key:
+hmac_key: "CHANGE_ME!!"
 
 ##
 ## List of video IDs where the "download" widget must be
diff --git a/docker-compose.yml b/docker-compose.yml
index eb83b020..6a854475 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,6 +30,7 @@ services:
         # domain:
         # https_only: false
         # statistics_enabled: false
+        hmac_key: "CHANGE_ME!!"
     healthcheck:
       test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1
       interval: 30s
diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index 9fc58409..e5f1e822 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -85,7 +85,7 @@ class Config
   # Used to tell Invidious it is behind a proxy, so links to resources should be https://
   property https_only : Bool?
   # HMAC signing key for CSRF tokens and verifying pubsub subscriptions
-  property hmac_key : String?
+  property hmac_key : String = ""
   # Domain to be used for links to resources on the site where an absolute URL is required
   property domain : String?
   # Subscribe to channels using PubSubHubbub (requires domain, hmac_key)
@@ -204,6 +204,16 @@ class Config
         end
     {% end %}
 
+    # HMAC_key is mandatory
+    # See: https://github.com/iv-org/invidious/issues/3854
+    if config.hmac_key.empty?
+      puts "Config: 'hmac_key' is required/can't be empty"
+      exit(1)
+    elsif config.hmac_key == "CHANGE_ME!!"
+      puts "Config: The value of 'hmac_key' needs to be changed!!"
+      exit(1)
+    end
+
     # Build database_url from db.* if it's not set directly
     if config.database_url.to_s.empty?
       if db = config.db
@@ -216,7 +226,7 @@ class Config
           path: db.dbname,
         )
       else
-        puts "Config : Either database_url or db.* is required"
+        puts "Config: Either database_url or db.* is required"
         exit(1)
       end
     end