diff --git a/Dockerfile b/Dockerfile
index f8d8572..f874355 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
-ARG BUILDER_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.1
-ARG RUNTIME_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.1
+ARG BUILDER_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.2
+ARG RUNTIME_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.2
 
 
 FROM $BUILDER_IMAGE AS builder
@@ -35,11 +35,20 @@ RUN rm -f /etc/apk/repositories \
 ENV BACKEND_URL=http://localhost:8080
 ENV CONFIG_DATA_EXECUTOR_URL=http://localhost:8080/api
 
-COPY config/nginx.conf /etc/nginx/nginx.conf
-COPY --from=builder /app/frontend/dist /usr/share/nginx/html
-COPY --from=builder /app/backend/target/*.jar /home/app/backend.jar
-COPY --from=builder /app/config-data-executor/target/*.jar /home/app/cde.jar
 
 EXPOSE 80
 
+RUN addgroup --system --gid 1002 app \
+ && adduser -S app -u 1002 -G app \
+ && adduser -S cde -u 1003 -G app
+
+COPY config/nginx.conf /etc/nginx/nginx.conf
+COPY --from=builder /app/frontend/dist /usr/share/nginx/html
+COPY --from=builder /app/backend/target/*.jar /home/app/backend.jar
+COPY --from=builder /app/config-data-executor/target/*.jar /home/cde/cde.jar
+
+USER app
+
+WORKDIR /home/app
+
 ENTRYPOINT ["java", "-jar", "/home/app/backend.jar"]
diff --git a/backend/pom.xml b/backend/pom.xml
index bef3c56..e20abc3 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.5-SNAPSHOT</version>
+    <version>1.2.0-SNAPSHOT</version>
   </parent>
   <groupId>ru.micord.ervu.eks</groupId>
   <artifactId>backend</artifactId>
diff --git a/config-data-executor/Dockerfile b/config-data-executor/Dockerfile
deleted file mode 100644
index 0aaea2c..0000000
--- a/config-data-executor/Dockerfile
+++ /dev/null
@@ -1,4 +0,0 @@
-FROM bellsoft/liberica-openjdk-alpine:17-cds
-COPY target/*.jar app.jar
-
-CMD ["java", "-jar", "app.jar"]
\ No newline at end of file
diff --git a/config-data-executor/pom.xml b/config-data-executor/pom.xml
index aae9d83..21e3529 100644
--- a/config-data-executor/pom.xml
+++ b/config-data-executor/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.5-SNAPSHOT</version>
+    <version>1.2.0-SNAPSHOT</version>
   </parent>
   <groupId>ru.micord.ervu.eks</groupId>
   <artifactId>config-data-executor</artifactId>
diff --git a/config-data-executor/src/main/java/org/micord/service/RequestService.java b/config-data-executor/src/main/java/org/micord/service/RequestService.java
index ea810f9..73a73d0 100644
--- a/config-data-executor/src/main/java/org/micord/service/RequestService.java
+++ b/config-data-executor/src/main/java/org/micord/service/RequestService.java
@@ -23,6 +23,7 @@ import java.util.stream.IntStream;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
+import jakarta.annotation.PostConstruct;
 import org.micord.config.ArangoDBConnection;
 import org.micord.config.DatabaseConnection;
 import org.micord.config.S3HttpConnection;
@@ -56,12 +57,18 @@ public class RequestService {
 
   private static final Logger logger = LoggerFactory.getLogger(RequestService.class);
 
+  private DocumentBuilderFactory secureDocumentFactory;
   @Autowired
   private HttpClient httpClient;
 
   @Autowired
   private ValidationService validationService;
 
+  @PostConstruct
+  public void init() {
+    secureDocumentFactory = createSecureDocumentBuilderFactory();
+  }
+
   private void processS3Request(S3Request request, RequestParameters parameters, Map<String, Boolean> validationResults) {
     logger.info("B. Starting processing of single S3 request");
     try {
@@ -219,8 +226,7 @@ public class RequestService {
 
   private void handleErrorResponse(HttpResponse<String> response, String file) {
     try {
-      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-      DocumentBuilder builder = factory.newDocumentBuilder();
+      DocumentBuilder builder = secureDocumentFactory.newDocumentBuilder();
       InputSource is = new InputSource(new StringReader(response.body()));
       Document doc = builder.parse(is);
       Element root = doc.getDocumentElement();
@@ -703,4 +709,14 @@ public class RequestService {
     }
   }
 
+  private DocumentBuilderFactory createSecureDocumentBuilderFactory() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    try {
+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+    catch (Exception e) {
+      throw new RuntimeException("Failed to secure XML parser", e);
+    }
+    return factory;
+  }
 }
diff --git a/config/.env b/config/.env
index 5c4558f..714e737 100644
--- a/config/.env
+++ b/config/.env
@@ -1 +1 @@
-IMAGE=eks-app:latest
+IMAGE=eks-app:1.1.5
diff --git a/config/docker-compose.yaml b/config/docker-compose.yaml
index 4e02b55..f609344 100644
--- a/config/docker-compose.yaml
+++ b/config/docker-compose.yaml
@@ -14,6 +14,8 @@ services:
 
   eks-backend:
     image: ${IMAGE:-eks-app:latest}
+    user: app
+    working_dir: /home/app
     depends_on:
       - db
     entrypoint: ["java", "-jar", "/home/app/backend.jar"]
@@ -25,6 +27,7 @@ services:
 
   eks-frontend:
     image: ${IMAGE:-eks-app:latest}
+    user: "101:102"
     depends_on:
       - eks-backend
     ports:
@@ -35,7 +38,9 @@ services:
 
   eks-cde:
     image: ${IMAGE:-eks-app:latest}
-    entrypoint: ["java", "-jar", "/home/app/cde.jar"]
+    user: cde
+    working_dir: /home/cde
+    entrypoint: ["java", "-jar", "/home/cde/cde.jar"]
     volumes:
       - ./cde-xml:/cde-xml
     environment:
diff --git a/config/nginx.conf b/config/nginx.conf
index 76c1450..ec0a5c1 100644
--- a/config/nginx.conf
+++ b/config/nginx.conf
@@ -19,16 +19,10 @@ http {
     gzip on;
     gzip_types text/plain text/css text/xml application/x-javascript application/atom+xml;
 
-    log_format nginx_main
-        '$remote_addr - $remote_user [$time_local] $request '
-        '"$status" $body_bytes_sent "$http_referer" '
-        '"$http_user_agent" "$http_x_forwarded_for" '
-        '"$request_filename" "$gzip_ratio" $upstream_response_time server: $host : $document_root $fastcgi_script_name ';
-
     server {
         listen 80 default;
 
-        access_log /var/log/nginx/access.log nginx_main;
+        access_log /var/log/nginx/access.log combined;
         error_log  /var/log/nginx/error.log error;
 
         root /usr/share/nginx/html;
@@ -74,7 +68,6 @@ http {
             proxy_pass http://eks-backend:8080/ervu-eks/;
             proxy_set_header Accept application/json;
             add_header Content-Type application/json;
-            proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }
diff --git a/frontend/pom.xml b/frontend/pom.xml
index 1a83a07..e8d9367 100644
--- a/frontend/pom.xml
+++ b/frontend/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.5-SNAPSHOT</version>
+    <version>1.2.0-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.eks</groupId>
diff --git a/pom.xml b/pom.xml
index 43573e4..9e4483d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ru.micord.ervu</groupId>
   <artifactId>eks</artifactId>
-  <version>1.1.5-SNAPSHOT</version>
+  <version>1.2.0-SNAPSHOT</version>
   <packaging>pom</packaging>
   <modules>
     <module>backend</module>
diff --git a/resources/pom.xml b/resources/pom.xml
index 9cc037c..94ea280 100644
--- a/resources/pom.xml
+++ b/resources/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.5-SNAPSHOT</version>
+    <version>1.2.0-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.eks</groupId>