diff --git a/Dockerfile b/Dockerfile
index af812de..4327f20 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,9 @@ FROM node:22-alpine
 
 WORKDIR /app
 
+# Install wget for health check
+RUN apk add --no-cache wget
+
 # Copy package files first for better layer caching
 COPY package*.json ./
 RUN npm install --production
@@ -9,11 +12,14 @@ RUN npm install --production
 # Copy source
 COPY . .
 
+# Create non-root user for security
+RUN addgroup -g 1001 crucix &&     adduser -D -u 1001 -G crucix crucix &&     chown -R crucix:crucix /app
+USER crucix
+
 # Default port (override with -e PORT=xxxx)
 EXPOSE 3117
 
 # Health check
-HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
-  CMD wget -qO- http://localhost:3117/api/health || exit 1
+HEALTHCHECK --interval=60s --timeout=10s --retries=3   CMD wget -qO- http://localhost:3117/api/health || exit 1
 
 CMD ["node", "server.mjs"]
diff --git a/crucix.config.mjs b/crucix.config.mjs
index da25ca1..c5081b5 100644
--- a/crucix.config.mjs
+++ b/crucix.config.mjs
@@ -2,8 +2,18 @@
 
 import './apis/utils/env.mjs'; // Load .env first
 
+// Security: validate PORT is numeric and in safe range
+function validatePort(val) {
+  const port = parseInt(val);
+  if (isNaN(port) || port < 1024 || port > 65535) {
+    console.warn('[Crucix] Invalid PORT, using default 3117');
+    return 3117;
+  }
+  return port;
+}
+
 export default {
-  port: parseInt(process.env.PORT) || 3117,
+  port: validatePort(process.env.PORT),
   refreshIntervalMinutes: parseInt(process.env.REFRESH_INTERVAL_MINUTES) || 15,
 
   llm: {