diff --git a/apps/website/public/canary.sh b/apps/website/public/canary.sh
index 5f23c0a..7383e5c 100644
--- a/apps/website/public/canary.sh
+++ b/apps/website/public/canary.sh
@@ -156,7 +156,7 @@ install_dokploy() {
     --restart always \
     -v /etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml \
     -v /etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic \
-    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
     -p 80:80/tcp \
     -p 443:443/tcp \
     -p 443:443/udp \
@@ -169,9 +169,10 @@ install_dokploy() {
     #     --name dokploy-traefik \
     #     --constraint 'node.role==manager' \
     #     --network dokploy-network \
+    #     --security-opt no-new-privileges:true \
     #     --mount type=bind,source=/etc/dokploy/traefik/traefik.yml,target=/etc/traefik/traefik.yml \
     #     --mount type=bind,source=/etc/dokploy/traefik/dynamic,target=/etc/dokploy/traefik/dynamic \
-    #     --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
+    #     --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock,readonly \
     #     --publish mode=host,published=443,target=443 \
     #     --publish mode=host,published=80,target=80 \
     #     --publish mode=host,published=443,target=443,protocol=udp \