diff --git a/abra.sh b/abra.sh
index 419452f..3c364b4 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 export ENTRYPOINT_VERSION=v2
-export INIT_VERSION=v1
+export NGINX_CONFIG_VERSION=v1
 
 file_env() {
     local var="$1"
diff --git a/compose.yml b/compose.yml
index d510f7b..bf2e33e 100644
--- a/compose.yml
+++ b/compose.yml
@@ -4,53 +4,96 @@ version: "3.8"
 services:
 
   app:
+    image: nginx:stable
+    networks:
+      - internal
+      - proxy
+    volumes:
+      - uploads:/liberaforms/uploads:ro
+      - static:/liberaforms/static:ro
+    configs:
+      - source: nginx_conf
+        mode: 555
+        target: /etc/nginx/conf.d/default.conf
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "coop-cloud.${STACK_NAME}.version=wip"
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost" ]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+
+  forms:
     image: fung.uy/mycosystems/liberaforms:v4.0.0
     configs:
       - source: entrypoint
-        mode: 0555
+        mode: 555
         target: /custom-entrypoint.sh
     entrypoint: /custom-entrypoint.sh
     command: "/usr/bin/supervisord -n"
     environment:
-      ENABLE_LDAP: "False"
-      FLASK_DEBUG: "False"
-      FLASK_CONFIG: production
-      DB_HOST: db
-      DB_USER: liberaforms
-      DB_PASSWORD_FILE: /run/secrets/db_password
-      DB_NAME: liberaforms
-      BASE_URL: https://${DOMAIN}
-      ROOT_USER: ${ADMIN_USER}
-      TMP_DIR: /tmp
-      SECRET_KEY_FILE: /run/secrets/secret_key
-      CRYPTO_KEY_FILE: /run/secrets/crypto_key
-      SESSION_TYPE: "filesystem"
-      LOG_LEVEL: INFO
-      LOG_DIR: /app/logs
-      GUNICORN_WORKERS: ${GUNICORN_WORKERS:-3}
+      - ENABLE_LDAP=False
+      - FLASK_DEBUG=False
+      - FLASK_CONFIG=production
+      - DB_HOST=db
+      - DB_USER=liberaforms
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - DB_NAME=liberaforms
+      - BASE_URL=https://${DOMAIN}
+      - ROOT_USER=${ADMIN_USER}
+      - TMP_DIR=/tmp
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - CRYPTO_KEY_FILE=/run/secrets/crypto_key
+      - SESSION_TYPE=filesystem
+      - LOG_LEVEL=INFO
+      - LOG_DIR=/app/logs
+      - GUNICORN_WORKERS=${GUNICORN_WORKERS:-3}
+      - DEFAULT_LANGUAGE
+      - SECRET_KEY
+      - TOKEN_EXPIRATION
+      - DEFAULT_TIMEZONE
+      - ENABLE_UPLOADS
+      - TOTAL_UPLOADS_LIMIT
+      - DEFAULT_USER_UPLOADS_LIMIT
+      - ENABLE_REMOTE_STORAGE
+      - MAX_MEDIA_SIZE
+      - MAX_ATTACHMENT_SIZE
+      - ENABLE_PROMETHEUS_METRICS
+      - ENABLE_RSS_FEED
+      - LDAP_SERVER
+      - LDAP_ANONYMOUS_BIND
+      - LDAP_BIND_ACCOUNT
+      - LDAP_BIND_PASSWORD
+      - LDAP_USER_DN_LIST
+      - LDAP_SEARCH_BASE_DN
+      - LDAP_FILTER
+      - LDAP_MAIL_ATTRIB
+      - LDAP_RECOVER_PASSWD_URL
+      - E2EE_MODE
     volumes:
       - uploads:/app/uploads
       - log:/app/logs
+      - static:/app/liberaforms/static
     secrets:
       - db_password
       - secret_key
       - crypto_key
     networks:
       - internal
-      - proxy
-    deploy:
-      labels:
-        - "coop-cloud.${STACK_NAME}.version=wip"
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   db:
     image: postgres:17
     healthcheck:
-      test: ["CMD", "pg_isready", "-q", "-d", "postgres", "-U", "${POSTGRES_ROOT_USER}"]
+      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "liberaforms" ]
       timeout: 45s
       interval: 10s
       retries: 10
@@ -78,9 +121,11 @@ secrets:
 
 volumes:
   uploads:
+  static:
   log:
   db:
 
+
 networks:
   internal:
   proxy:
@@ -91,3 +136,6 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  nginx_conf:
+    name: ${STACK_NAME}_nginx_conf_${NGINX_CONFIG_VERSION}
+    file: nginx.conf
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..0a07d76
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,35 @@
+server {
+    listen         80;
+    server_name    localhost;
+    
+    client_max_body_size 2m;
+    
+    add_header Referrer-Policy "origin-when-cross-origin";
+    add_header X-Content-Type-Options nosniff;
+
+    location / {
+        location /static/ {
+            alias  /liberaforms/static/;
+        }
+        location /favicon.ico {
+            alias /liberaforms/uploads/media/brand/favicon.ico;
+        }
+        location /logo.png {
+            alias /liberaforms/uploads/media/brand/logo.png;
+        }
+        location /file/media/ {
+            alias /liberaforms/uploads/media/;
+        }
+        location /metrics {
+            return 404;
+        }
+        proxy_pass          http://forms:5000;
+        proxy_set_header    Host    $host;
+        proxy_set_header    X-Forwarded-For $remote_addr;
+        proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_pass_header   server;
+        if ($request_uri !~ "/embed") {
+           add_header X-Frame-Options "SAMEORIGIN";
+        }
+    }
+}
\ No newline at end of file