diff --git a/public/api/contact.php b/public/api/contact.php
index 5d17223..bbad0af 100644
--- a/public/api/contact.php
+++ b/public/api/contact.php
@@ -4,6 +4,18 @@ header('Access-Control-Allow-Origin: https://sag24.ru');
 header('Access-Control-Allow-Methods: POST');
 header('Access-Control-Allow-Headers: Content-Type');
 
+// Load secrets from outside webroot (not in git)
+$configFile = dirname(__DIR__, 2) . '/contact-config.php';
+if (file_exists($configFile)) {
+    require_once $configFile;
+} else {
+    // Fallback values for local development (override via contact-config.php on server)
+    $BOT_TOKEN = getenv('TELEGRAM_BOT_TOKEN') ?: '';
+    $CHAT_ID   = getenv('TELEGRAM_CHAT_ID') ?: '';
+    $TURNSTILE_SECRET = getenv('TURNSTILE_SECRET_KEY') ?: '';
+    $smtp_pass = getenv('SMTP_PASS') ?: '';
+}
+
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
     echo json_encode(['error' => 'Method not allowed']);
@@ -62,7 +74,6 @@ if (mb_strlen($phone) > 30)  { http_response_code(400); echo json_encode(['error
 if (mb_strlen($message) > 5000) { http_response_code(400); echo json_encode(['error' => 'Message too long']); exit; }
 
 // ─── Cloudflare Turnstile verification ───────────────────────────────────────
-$TURNSTILE_SECRET = '0x4AAAAAACrQSySNBa2C2FWQq2ty1_UyLhc';
 if ($TURNSTILE_SECRET) {
     if (!$turnstileToken) {
         http_response_code(400);
@@ -86,8 +97,6 @@ if ($TURNSTILE_SECRET) {
 }
 
 // ─── Telegram (best-effort, not fatal) ───────────────────────────────────────
-$BOT_TOKEN = '8138813013:AAElH2L5NspRLSdiFjDz6Qf32n4G24P_cj8';
-$CHAT_ID   = '-5230603582';
 
 $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown';
 $referer   = $_SERVER['HTTP_REFERER'] ?? '';
@@ -120,18 +129,19 @@ curl_close($ch);
 $smtp_host = 'mx.hhivp.com';
 $smtp_port = 587;
 $smtp_user = 'noreply@sag24.ru';
-$smtp_pass = '9hsnDyBAk5&S4#lE';
 $mail_to   = 'info@sag24.ru';
 
-$subject = "=?UTF-8?B?" . base64_encode("Заявка с sag24.ru от {$name}") . "?=";
-$body    = "Имя: {$name}\r\n";
-if ($company) $body .= "Компания: {$company}\r\n";
-if ($email)   $body .= "Email: {$email}\r\n";
-if ($phone)   $body .= "Телефон: {$phone}\r\n";
-$body .= "\r\nСообщение:\r\n{$message}\r\n";
-$body .= "\r\nIP: {$ip}";
-if ($country) $body .= " | Страна: {$country}";
-$body .= "\r\n" . date('d.m.Y H:i', time() + 3 * 3600) . " MSK";
+$subj_enc  = "=?UTF-8?B?" . base64_encode("Заявка с sag24.ru от {$name}") . "?=";
+$html_body  = "<h2>Заявка с sag24.ru</h2>";
+$html_body .= "<p><strong>Имя:</strong> {$name}</p>";
+if ($company) $html_body .= "<p><strong>Компания:</strong> {$company}</p>";
+if ($email)   $html_body .= "<p><strong>Email:</strong> <a href=\"mailto:{$email}\">{$email}</a></p>";
+if ($phone)   $html_body .= "<p><strong>Телефон:</strong> {$phone}</p>";
+$msg_html = nl2br($message);
+$html_body .= "<p><strong>Сообщение:</strong><br>{$msg_html}</p>";
+$html_body .= "<hr><p><small>IP: {$ip}";
+if ($country) $html_body .= " | Страна: {$country}";
+$html_body .= " | " . date('d.m.Y H:i', time() + 3 * 3600) . " MSK</small></p>";
 
 try {
     $smtp = fsockopen($smtp_host, $smtp_port, $errno, $errstr, 10);
@@ -149,9 +159,9 @@ try {
         fwrite($smtp, "MAIL FROM:<{$smtp_user}>\r\n"); fgets($smtp, 512);
         fwrite($smtp, "RCPT TO:<{$mail_to}>\r\n");     fgets($smtp, 512);
         fwrite($smtp, "DATA\r\n"); fgets($smtp, 512);
-        fwrite($smtp, "From: noreply@sag24.ru\r\nTo: {$mail_to}\r\nSubject: {$subject}\r\n");
-        fwrite($smtp, "MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n");
-        fwrite($smtp, $body . "\r\n.\r\n"); fgets($smtp, 512);
+        fwrite($smtp, "From: noreply@sag24.ru\r\nTo: {$mail_to}\r\nSubject: {$subj_enc}\r\n");
+        fwrite($smtp, "MIME-Version: 1.0\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n");
+        fwrite($smtp, $html_body . "\r\n.\r\n"); fgets($smtp, 512);
         fwrite($smtp, "QUIT\r\n");
         fclose($smtp);
     }