diff --git a/server/start.sh b/server/start.sh
index 0f41de93..253fd6b5 100755
--- a/server/start.sh
+++ b/server/start.sh
@@ -2,46 +2,34 @@
 
 set -eu
 
-# Load secrets from files if *__FILE variables are provided.
-# Only the first line of each file is read (newline excluded).
+# Load secrets from files if corresponding *__FILE environment variables are set.
+# Only the first line of each file is read (stripping carriage returns and newlines).
+
+read_secret() {
+  local file="$1"
+  head -n 1 "$file" | tr -d '\r\n'
+}
+
+load_secret() {
+  local envar="$1"
+  local file="${envar}__FILE"
+  if [[ -z "${!envar:-}" && -e "${!file:-}" ]]; then
+    export "$envar"="$(read_secret "${!file}")"
+  fi
+}
 
-# DATABASE_PASSWORD (used to dynamically inject into DATABASE_URL)
 if [[ -n "${DATABASE_URL}" ]]; then
   if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then
-    read DATABASE_PASSWORD < "${DATABASE_PASSWORD__FILE}"
+    DATABASE_PASSWORD="$(read_secret "${DATABASE_PASSWORD__FILE}")"
     export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}"
   fi
 fi
 
-# SECRET_KEY
-if [[ -z "${SECRET_KEY:-}" && -e "${SECRET_KEY__FILE:-}" ]]; then
-  read SECRET_KEY < "${SECRET_KEY__FILE}"
-  export SECRET_KEY
-fi
-
-# DEFAULT_ADMIN_PASSWORD
-if [[ -z "${DEFAULT_ADMIN_PASSWORD:-}" && -e "${DEFAULT_ADMIN_PASSWORD__FILE:-}" ]]; then
-  read DEFAULT_ADMIN_PASSWORD < "${DEFAULT_ADMIN_PASSWORD__FILE}"
-  export DEFAULT_ADMIN_PASSWORD
-fi
-
-# S3_SECRET_ACCESS_KEY
-if [[ -z "${S3_SECRET_ACCESS_KEY:-}" && -e "${S3_SECRET_ACCESS_KEY__FILE:-}" ]]; then
-  read S3_SECRET_ACCESS_KEY < "${S3_SECRET_ACCESS_KEY__FILE}"
-  export S3_SECRET_ACCESS_KEY
-fi
-
-# OIDC_CLIENT_SECRET
-if [[ -z "${OIDC_CLIENT_SECRET:-}" && -e "${OIDC_CLIENT_SECRET__FILE:-}" ]]; then
-  read OIDC_CLIENT_SECRET < "${OIDC_CLIENT_SECRET__FILE}"
-  export OIDC_CLIENT_SECRET
-fi
-
-# SMTP_PASSWORD
-if [[ -z "${SMTP_PASSWORD:-}" && -e "${SMTP_PASSWORD__FILE:-}" ]]; then
-  read SMTP_PASSWORD < "${SMTP_PASSWORD__FILE}"
-  export SMTP_PASSWORD
-fi
+load_secret SECRET_KEY
+load_secret DEFAULT_ADMIN_PASSWORD
+load_secret S3_SECRET_ACCESS_KEY
+load_secret OIDC_CLIENT_SECRET
+load_secret SMTP_PASSWORD
 
 export NODE_ENV=production