diff --git a/Dockerfile b/Dockerfile
index c185e16..93ced44 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,5 +24,7 @@ COPY --from=backend /app/backend/package.json ./
 COPY --from=backend /app/backend/prisma ./prisma
 COPY --from=backend /app/backend/seed.js ./seed.js
 COPY --from=frontend /app/frontend/.output/public ./public
+RUN addgroup -S wraith && adduser -S wraith -G wraith && chown -R wraith:wraith /app
+USER wraith
 EXPOSE 3000
 CMD ["sh", "-c", "ls -la prisma/migrations/ && ls -la prisma/migrations/*/  && npx prisma migrate deploy --schema prisma/schema.prisma && node seed.js; node dist/src/main.js"]
diff --git a/backend/package.json b/backend/package.json
index c7b3436..7c00e28 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -24,6 +24,7 @@
     "@nestjs/websockets": "^10.0.0",
     "@prisma/client": "^6.0.0",
     "argon2": "^0.44.0",
+    "helmet": "^8.0.0",
     "bcrypt": "^5.1.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.0",
diff --git a/backend/src/main.ts b/backend/src/main.ts
index 0144a73..1c984b9 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -1,3 +1,4 @@
+import helmet from 'helmet';
 import { NestFactory } from '@nestjs/core';
 import { ValidationPipe } from '@nestjs/common';
 import { WsAdapter } from '@nestjs/platform-ws';
@@ -18,6 +19,7 @@ process.on('unhandledRejection', (reason: any) => {
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
+  app.use(helmet());
   app.setGlobalPrefix('api');
   app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
   app.useWebSocketAdapter(new WsAdapter(app));
diff --git a/docker-compose.yml b/docker-compose.yml
index b6e51bd..b4f63c1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,10 +6,8 @@ services:
       DATABASE_URL: postgresql://wraith:${DB_PASSWORD}@postgres:5432/wraith
       JWT_SECRET: ${JWT_SECRET}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}
-      GUACD_HOST: host.docker.internal
+      GUACD_HOST: guacd
       GUACD_PORT: "4822"
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
     depends_on:
       postgres:
         condition: service_healthy
@@ -19,13 +17,10 @@ services:
 
   guacd:
     image: guacamole/guacd
-    network_mode: host
-    entrypoint: ["/opt/guacamole/sbin/guacd", "-b", "0.0.0.0", "-L", "debug", "-f"]
     restart: always
 
   postgres:
     image: postgres:16-alpine
-    ports: ["4211:5432"]
     volumes: [pgdata:/var/lib/postgresql/data]
     environment:
       POSTGRES_DB: wraith