diff --git a/.env.production.sample b/.env.production.sample
index 190b372c2..e75bf9671 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -12,8 +12,7 @@ LOCAL_DOMAIN=example.com
 LOCAL_HTTPS=true
 
 # Application secrets
-# These are arbitrary strings. They should be long and cryptographically secure.
-# For Docker, `docker-compose run --rm web rake secret` will generate them.
+# Generate each with the `rake secret` task
 PAPERCLIP_SECRET=
 SECRET_KEY_BASE=
 
@@ -23,3 +22,6 @@ SMTP_PORT=587
 SMTP_LOGIN=
 SMTP_PASSWORD=
 SMTP_FROM_ADDRESS=notifications@example.com
+
+# Optional asset host for multi-server setups
+# CDN_HOST=assets.example.com
diff --git a/config/environments/production.rb b/config/environments/production.rb
index dcb659d6c..0672cd587 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -13,7 +13,7 @@ Rails.application.configure do
   # Full error reports are disabled and caching is turned on.
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
-  config.action_controller.asset_host      = ENV['CDN_HOST']
+  config.action_controller.asset_host      = ENV['CDN_HOST'] if ENV.key?('CDN_HOST')
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.