diff --git a/Security_Containers/docker-socket-proxy/compose.yaml b/Security_Containers/docker-socket-proxy/compose.yaml
index 4519ba3..3ac37b6 100644
--- a/Security_Containers/docker-socket-proxy/compose.yaml
+++ b/Security_Containers/docker-socket-proxy/compose.yaml
@@ -3,14 +3,18 @@ services:
     image: tecnativa/docker-socket-proxy:latest
     container_name: socket-proxy
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
-      CONTAINERS: 1   # Traefik needs this
-      SERVICES: 0
-      TASKS: 0
-      NETWORKS: 0
-      NODES: 0
+      # Timeouts (silences HAProxy warning, sane for event streaming)
+      TIMEOUT_CONNECT: 5
+      TIMEOUT_CLIENT: 3600
+      TIMEOUT_SERVER: 3600
+      # Traefik only needs CONTAINERS
+      CONTAINERS: 1
+      # Everything else explicitly off
       BUILD: 0
       COMMIT: 0
       CONFIGS: 0
@@ -18,15 +22,22 @@ services:
       EXEC: 0
       IMAGES: 0
       INFO: 0
+      NETWORKS: 0
+      NODES: 0
       PLUGINS: 0
       POST: 0
       SECRETS: 0
+      SERVICES: 0
+      SESSION: 0
       SWARM: 0
       SYSTEM: 0
+      TASKS: 0
       VOLUMES: 0
     networks:
-      - socket_proxy  # isolated network, NOT traefik_network
+      - socket_proxy
+
 networks:
   socket_proxy:
     name: docker_socket_proxy
-    driver: bridge
\ No newline at end of file
+    driver: bridge
+    internal: true  # no external routing — container-to-container only
\ No newline at end of file