diff --git a/docker-compose.yml b/docker-compose.yml
index 987e05d8..97178bfc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -196,6 +196,8 @@ services:
 
   # NGINX reverse proxy (optional)
   nginx:
+    security_opt:
+      - "no-new-privileges:true"
     image: nginx:alpine
     container_name: nginx-proxy
     ports:
@@ -204,9 +206,14 @@ services:
     volumes:
       - ./.docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./.docker/nginx/ssl:/etc/nginx/ssl:ro
+    tmpfs:
+      - /var/run
+      - /var/cache/nginx
+      - /var/log/nginx
     networks:
       - rustfs-network
     restart: unless-stopped
+    read_only: true
     profiles:
       - proxy
     depends_on: