diff --git a/Dockerfile b/Dockerfile
index 07e8bd6..72d022d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,6 +8,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ffmpeg \
     && rm -rf /var/lib/apt/lists/*
 
+# Non-root User für Container-Hardening
+# (Synology DSM-Volumes haben ACLs — daher chown auf /data + /app)
+RUN groupadd -r appuser -g 1000 && \
+    useradd -r -u 1000 -g appuser -d /app -s /sbin/nologin appuser
+
 # Python-Dependencies zuerst (Docker Layer Cache)
 COPY backend/requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
@@ -18,9 +23,12 @@ COPY backend/ .
 # Zentrale Version (wird von main.py beim Startup gelesen)
 COPY VERSION /app/VERSION
 
-# Media-Verzeichnis
+# Media-Verzeichnis + Permissions
 RUN mkdir -p /data/media/dogs /data/media/diary /data/media/poison \
-             /data/media/breeds/gallery /data/media/breeds/submissions
+             /data/media/breeds/gallery /data/media/breeds/submissions && \
+    chown -R appuser:appuser /app /data
+
+USER appuser
 
 EXPOSE 8000
 
diff --git a/VERSION b/VERSION
index 03a524d..a42ee12 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1115
\ No newline at end of file
+1116
\ No newline at end of file
diff --git a/backend/static/index.html b/backend/static/index.html
index 09855ab..a4ddad0 100644
--- a/backend/static/index.html
+++ b/backend/static/index.html
@@ -86,14 +86,14 @@
   <title>Ban Yaro</title>
 
   <!-- Theme + theme-color Statusleiste vor CSS setzen -->
-  <script src="/js/boot-early.js?v=1115"></script>
+  <script src="/js/boot-early.js?v=1116"></script>
 
   <!-- CSS: Reihenfolge ist wichtig — ?v= zwingt Browser zur Neuladung -->
-  <link rel="stylesheet" href="/css/design-system.css?v=1115">
-  <link rel="stylesheet" href="/css/layout.css?v=1115">
-  <link rel="stylesheet" href="/css/components.css?v=1115">
-  <link rel="stylesheet" href="/css/utilities.css?v=1115">
-  <link rel="stylesheet" href="/css/lists.css?v=1115">
+  <link rel="stylesheet" href="/css/design-system.css?v=1116">
+  <link rel="stylesheet" href="/css/layout.css?v=1116">
+  <link rel="stylesheet" href="/css/components.css?v=1116">
+  <link rel="stylesheet" href="/css/utilities.css?v=1116">
+  <link rel="stylesheet" href="/css/lists.css?v=1116">
 </head>
 <body>
 
@@ -617,11 +617,11 @@
 <div id="modal-container"></div>
 
 <!-- JS: Reihenfolge ist wichtig — erst Basis, dann Features -->
-<script src="/js/api.js?v=1115"></script>
-<script src="/js/ui.js?v=1115"></script>
-<script src="/js/app.js?v=1115"></script>
-<script src="/js/worlds.js?v=1115"></script>
-<script src="/js/offline-indicator.js?v=1115"></script>
+<script src="/js/api.js?v=1116"></script>
+<script src="/js/ui.js?v=1116"></script>
+<script src="/js/app.js?v=1116"></script>
+<script src="/js/worlds.js?v=1116"></script>
+<script src="/js/offline-indicator.js?v=1116"></script>
 
 <!-- Feature-Seiten werden lazy geladen -->
 
@@ -631,7 +631,7 @@
 
 
 <!-- Boot: Offline-Banner + SW-Registration (extrahiert für CSP) -->
-<script src="/js/boot.js?v=1115"></script>
+<script src="/js/boot.js?v=1116"></script>
 
 
 </body>
diff --git a/backend/static/js/app.js b/backend/static/js/app.js
index 1585f23..04c7e91 100644
--- a/backend/static/js/app.js
+++ b/backend/static/js/app.js
@@ -3,7 +3,7 @@
    Router, State-Management, Navigation, Initialisierung.
    ============================================================ */
 
-const APP_VER     = '1115'; // ← bei jedem Deploy mit Frontend-Änderungen erhöhen
+const APP_VER     = '1116'; // ← bei jedem Deploy mit Frontend-Änderungen erhöhen
 const APP_VERSION = '1.6.0'; // ← semantische Version, wird bei make release gesetzt
 window.APP_VER     = APP_VER;       // global verfügbar für andere Module (z.B. offline-indicator)
 window.APP_VERSION = APP_VERSION;
diff --git a/backend/static/landing.html b/backend/static/landing.html
index 998f802..ba696fa 100644
--- a/backend/static/landing.html
+++ b/backend/static/landing.html
@@ -4,7 +4,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta name="color-scheme" content="light dark">
-  <script src="/js/landing-init.js?v=1115"></script>
+  <script src="/js/landing-init.js?v=1116"></script>
   <title>Ban Yaro — Die Hunde-App für Deutschland, Österreich & Schweiz</title>
   <meta name="description" content="Ban Yaro: Die kostenlose All-in-One Hunde-App für DACH. Tagebuch, Giftköder-Alarm, Training mit KI, Forum, Wurfbörse, Stammbaum, Inzucht-Check — DSGVO-konform, offline-fähig, ohne App Store.">
   <meta name="keywords" content="Hunde App, Hunde Community, Wurfbörse, Züchter, Welpen kaufen, Stammbaum Hund, Inzuchtkoeffizient, Hundezucht, Impfpass Hund, Giftköder Alarm, Gassi Community, Hundetraining App, Hunde Forum, Hunde KI, Hundefilm Datenbank, Welpen Marktplatz">
diff --git a/backend/static/sw.js b/backend/static/sw.js
index 3e64fad..e249086 100644
--- a/backend/static/sw.js
+++ b/backend/static/sw.js
@@ -4,7 +4,7 @@
    ============================================================ */
 
 // ← EINZIGE Stelle für die Version — STATIC_ASSETS und CACHE_VERSION leiten sich ab
-const VER           = '1115';
+const VER           = '1116';
 const CACHE_VERSION = `by-v${VER}`;
 const CACHE_STATIC  = `${CACHE_VERSION}-static`;
 const CACHE_TILES   = 'ban-yaro-tiles-v1';  // bleibt über SW-Updates erhalten
diff --git a/docker-compose.staging.yml b/docker-compose.staging.yml
index 38b4182..cf5e8b5 100644
--- a/docker-compose.staging.yml
+++ b/docker-compose.staging.yml
@@ -17,9 +17,8 @@ services:
       - APP_URL=https://staging.banyaro.app
       - STAGING=true
       - KI_MODE=cloud
-      - VAPID_PUBLIC_KEY=BMKbFAmpsqJ-eFef_4XJcYpuxPWqBNAoy9buMNnMSa6ijcPzltboHi_YccPKJrUD0isBez-vJIzAgjnLTWkzcC0
-      - VAPID_PRIVATE_KEY=8PWa9vvwMqtqsJEJGcwmiLhR0_Yl7duVX3wmWiKS878
-      - VAPID_CONTACT=mailto:admin@banyaro.app
+      # VAPID_PUBLIC_KEY / VAPID_PRIVATE_KEY / VAPID_CONTACT
+      # → kommen aus .env (nicht in Git)
     healthcheck:
       test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/')"]
       interval: 30s
diff --git a/docker-compose.yml b/docker-compose.yml
index 019c40d..d984dcd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,10 +13,9 @@ services:
     environment:
       - DB_PATH=/data/banyaro.db
       - MEDIA_DIR=/data/media
-      - VAPID_PUBLIC_KEY=BMKbFAmpsqJ-eFef_4XJcYpuxPWqBNAoy9buMNnMSa6ijcPzltboHi_YccPKJrUD0isBez-vJIzAgjnLTWkzcC0
-      - VAPID_PRIVATE_KEY=8PWa9vvwMqtqsJEJGcwmiLhR0_Yl7duVX3wmWiKS878
-      - VAPID_CONTACT=mailto:admin@banyaro.app
       - UMAMI_URL=https://umami.motocamp.de
+      # VAPID_PUBLIC_KEY / VAPID_PRIVATE_KEY / VAPID_CONTACT
+      # → kommen aus .env (nicht in Git)
     healthcheck:
       test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/')"]
       interval: 30s