diff --git a/docker-compose.yml b/docker-compose.yml
index c628000..87934d4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -34,16 +34,39 @@ services:
     # Traefik Reverse Proxy Labels
     # -----------------------------
     labels:
+      # Enable Traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.mealie.rule=Host(`mealie.rozic-dev.com`) && PathPrefix(`/`)"
+
+      # HTTP → HTTPS redirect (recommended)
+      - "traefik.http.routers.mealie-http.entrypoints=web"
+      - "traefik.http.routers.mealie-http.rule=Host(`mealie.rozic-dev.com`)"
+      - "traefik.http.routers.mealie-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+
+      # HTTPS router
       - "traefik.http.routers.mealie.entrypoints=websecure"
+      - "traefik.http.routers.mealie.rule=Host(`mealie.rozic-dev.com`)"
       - "traefik.http.routers.mealie.tls.certresolver=letsencrypt"
       - "traefik.http.routers.mealie.tls=true"
+
+      # Service port
       - "traefik.http.services.mealie.loadbalancer.server.port=9000"
-      # optional headers
-      - "traefik.http.middlewares.mealie-headers.headers.stsSeconds=31536000"
-      - "traefik.http.middlewares.mealie-headers.headers.forceSTSHeader=true"
-      - "traefik.http.routers.mealie.middlewares=mealie-headers"
+
+      # Security headers middleware (improved)
+      - "traefik.http.middlewares.mealie-security.headers.customResponseHeaders.X-Robots-Tag=none"
+      - "traefik.http.middlewares.mealie-security.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.mealie-security.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.mealie-security.headers.stsPreload=true"
+      - "traefik.http.middlewares.mealie-security.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.mealie-security.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.mealie-security.headers.referrerPolicy=same-origin"
+      - "traefik.http.routers.mealie.middlewares=mealie-security"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1024M
 
   postgres:
     image: postgres:15
@@ -82,10 +105,3 @@ volumes:
     driver: local
   mealie-pgdata:
     driver: local
-deploy:          # works with docker-compose + swarm mode, also respected by Docker Desktop
-      resources:
-        limits:
-          cpus: '1.0'
-          memory: 1024M
-        reservations:
-          memory: 512M
\ No newline at end of file