diff --git a/.dockerignore b/.dockerignore
index 5614512..ade5d84 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -2,7 +2,11 @@
 *.sqlite3
 .env
 .git
+.mypy_cache
 .pre-commit-config.yaml
 .venv
+fly.toml
 media
 notes.md
+venv
+virtualenv
diff --git a/.gitignore b/.gitignore
index 8b8f355..3323b44 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 *.psql
 *.pyc
 *.sqlite3
+.DS_Store
 .idea/*
 .venv
 .vscode
@@ -14,5 +15,6 @@
 /static-collected
 __pycache__/
 api-test.*
+fly.toml
 notes.md
 notes.py
diff --git a/docs/installation.rst b/docs/installation.rst
index ebb8c24..d1e3b55 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -176,7 +176,7 @@ To use a local directory, specify the media URL as ``local://``.
 You must then also specify:
 
 * ``TAKAHE_MEDIA_ROOT``, the file path to the local media Directory
-* ``TAKAHE_MEDIA_URL``, a fully-qualified URL prefix that serves that directory
+* ``TAKAHE_MEDIA_URL``, a fully-qualified URL prefix that serves that directory (must end in a slash)
 
 The media directory must be read-write accessible from every single container
 of Takahē - webserver and workers alike.
diff --git a/takahe/settings.py b/takahe/settings.py
index d370254..65e97d0 100644
--- a/takahe/settings.py
+++ b/takahe/settings.py
@@ -102,6 +102,10 @@ class Settings(BaseSettings):
     MEDIA_ROOT: str = str(BASE_DIR / "media")
     MEDIA_BACKEND: MediaBackendUrl | None = None
 
+    #: S3 ACL to apply to all media objects when MEDIA_BACKEND is set to S3. If using a CDN
+    #: and/or have public access blocked to buckets this will likely need to be 'private'
+    MEDIA_BACKEND_S3_ACL: str = "public-read"
+
     #: Maximum filesize when uploading images. Increasing this may increase memory utilization
     #: because all images with a dimension greater than 2000px are resized to meet that limit, which
     #: is necessary for compatibility with Mastodon’s image proxy.
@@ -370,7 +374,7 @@ if SETUP.MEDIA_BACKEND:
         DEFAULT_FILE_STORAGE = "core.uploads.TakaheS3Storage"
         AWS_STORAGE_BUCKET_NAME = parsed.path.lstrip("/")
         AWS_QUERYSTRING_AUTH = False
-        AWS_DEFAULT_ACL = "public-read"
+        AWS_DEFAULT_ACL = SETUP.MEDIA_BACKEND_S3_ACL
         if parsed.username is not None:
             AWS_ACCESS_KEY_ID = parsed.username
             AWS_SECRET_ACCESS_KEY = urllib.parse.unquote(parsed.password)