diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index dea3b691..c3873dd6 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -192,7 +192,7 @@ jobs:
               --log-driver 'json-file' \
               --log-opt max-size=100m \
               --log-opt max-file=3 \
-              -e DJANGO_SETTINGS_MODULE='iati.settings.dev' \
+              -e DJANGO_SETTINGS_MODULE='iati.settings.dev_public' \
               -e SECRET_KEY='${{ secrets.DEV_SECRET_KEY }}' \
               -e DATABASE_NAME='${{ secrets.DEV_DATABASE_NAME }}' \
               -e DATABASE_USER='${{ secrets.DEV_DATABASE_USER }}' \
diff --git a/iati/settings/dev_public.py b/iati/settings/dev_public.py
new file mode 100644
index 00000000..8de06fe8
--- /dev/null
+++ b/iati/settings/dev_public.py
@@ -0,0 +1,34 @@
+"""Settings for the public dev environment (overrides base settings).
+
+DEBUG is False etc. because the website is publicly accessible.
+"""
+
+import os
+from .base import *  # noqa: F401, F403 # pylint: disable=unused-wildcard-import, wildcard-import
+
+DEBUG = False
+
+# SECURITY WARNING: keep the secret key used in production secret!
+# Overwrite this variable in local.py with another unguessable string.
+SECRET_KEY = os.environ.get('SECRET_KEY')
+
+EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+ALLOWED_HOSTS = [
+    '0.0.0.0',
+    'iatistandard.org',
+    '.iatistandard.org',
+]
+
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
+SECURE_SSL_REDIRECT = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
+SESSION_COOKIE_SECURE = not DEBUG
+
+AZURE_ACCOUNT_NAME = os.getenv('AZURE_ACCOUNT_NAME')
+
+try:
+    from .local import *  # # noqa: F401, F403  # pylint: disable=unused-wildcard-import, wildcard-import
+except ImportError:
+    pass