diff --git a/docker-compose.yml b/docker-compose.yml
index 87934d4..a6e3edd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -34,34 +34,53 @@ services:
     # Traefik Reverse Proxy Labels
     # -----------------------------
     labels:
-      # Enable Traefik
+      # ──────────────────────────────
+      # Enable Traefik for this container
+      # ──────────────────────────────
       - "traefik.enable=true"
 
-      # HTTP → HTTPS redirect (recommended)
+      # ──────────────────────────────
+      # HTTP → HTTPS redirect router
+      # ──────────────────────────────
       - "traefik.http.routers.mealie-http.entrypoints=web"
       - "traefik.http.routers.mealie-http.rule=Host(`mealie.rozic-dev.com`)"
-      - "traefik.http.routers.mealie-http.middlewares=redirect-to-https"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+      - "traefik.http.routers.mealie-http.middlewares=mealie-redirect"
 
-      # HTTPS router
+      # ──────────────────────────────
+      # HTTPS router (the real one)
+      # ──────────────────────────────
       - "traefik.http.routers.mealie.entrypoints=websecure"
       - "traefik.http.routers.mealie.rule=Host(`mealie.rozic-dev.com`)"
-      - "traefik.http.routers.mealie.tls.certresolver=letsencrypt"
       - "traefik.http.routers.mealie.tls=true"
+      - "traefik.http.routers.mealie.tls.certresolver=letsencrypt"   # ← change only if your resolver has a different name
+      - "traefik.http.routers.mealie.middlewares=mealie-chain"
 
-      # Service port
+      # ──────────────────────────────
+      # Service (where Traefik forwards the traffic)
+      # ──────────────────────────────
       - "traefik.http.services.mealie.loadbalancer.server.port=9000"
 
-      # Security headers middleware (improved)
-      - "traefik.http.middlewares.mealie-security.headers.customResponseHeaders.X-Robots-Tag=none"
+      # ──────────────────────────────
+      # Middleware: redirect HTTP → HTTPS
+      # ──────────────────────────────
+      - "traefik.http.middlewares.mealie-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.mealie-redirect.redirectscheme.permanent=true"
+
+      # ──────────────────────────────
+      # Middleware: security headers
+      # ──────────────────────────────
       - "traefik.http.middlewares.mealie-security.headers.stsSeconds=63072000"
       - "traefik.http.middlewares.mealie-security.headers.stsIncludeSubdomains=true"
       - "traefik.http.middlewares.mealie-security.headers.stsPreload=true"
       - "traefik.http.middlewares.mealie-security.headers.contentTypeNosniff=true"
       - "traefik.http.middlewares.mealie-security.headers.browserXssFilter=true"
       - "traefik.http.middlewares.mealie-security.headers.referrerPolicy=same-origin"
-      - "traefik.http.routers.mealie.middlewares=mealie-security"
+      - "traefik.http.middlewares.mealie-security.headers.customResponseHeaders.X-Robots-Tag=none"
+
+      # ──────────────────────────────
+      # Chain: redirect + security headers (applied only to HTTPS router)
+      # ──────────────────────────────
+      - "traefik.http.middlewares.mealie-chain.chain.middlewares=mealie-security"
     deploy:
       resources:
         limits:
@@ -74,6 +93,7 @@ services:
     restart: always
     networks:
       - internal
+      - traefik
     environment:
       POSTGRES_DB: mealie
       POSTGRES_USER: mealie