diff --git a/docker-compose.yml b/docker-compose.yml
index bb915a5..4317828 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,11 +10,22 @@ services:
       - ./data/certbot/www:/var/www/certbot:Z
     ports:
       - "443:443"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - CHOWN
   nginx-relay:
     image: nginx:alpine
     restart: unless-stopped
     volumes:
       - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
   certbot:
     image: certbot/certbot
     restart: unless-stopped
@@ -23,4 +34,10 @@ services:
       - ./data/certbot/www:/var/www/certbot:Z
     ports:
       - "80:80"
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
\ No newline at end of file
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
\ No newline at end of file