diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 8c4f7f9..0b4a9ec 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,5 +1,3 @@
-
-
 services:
   # MySQL 数据库
   mysql:
@@ -65,6 +63,24 @@ services:
     networks:
       - ai-cs-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    read_only: true  # 只读文件系统（防止写入恶意文件）
+    tmpfs:
+      - /tmp
+      - /var/tmp
+      - /app/.next/cache  # Next.js 需要缓存目录
+    resources:
+      limits:
+        cpus: '2.0'
+        memory: 2G
+      reservations:
+        cpus: '0.5'
+        memory: 512M
 
 volumes:
   mysql_data: