diff --git a/.env.example b/.env.example
index 683eb5c1..78b0cfa6 100644
--- a/.env.example
+++ b/.env.example
@@ -2,15 +2,14 @@
 # Copy to .env and fill in your values
 
 # ==================== Database ====================
-# Local development
-DATABASE_URL=postgres://momshell:momshell@localhost:5432/momshell?sslmode=disable
-# Docker deployment (uses container name "postgres" as host)
-# DATABASE_URL=postgres://momshell:momshell@postgres:5432/momshell?sslmode=disable
-
-# Docker Postgres container settings
+# Set strong, unique credentials here — never commit real passwords
 POSTGRES_USER=momshell
-POSTGRES_PASSWORD=momshell
+POSTGRES_PASSWORD=CHANGE_ME
 POSTGRES_DB=momshell
+# Local development (keep credentials in sync with POSTGRES_* vars above)
+DATABASE_URL=postgres://momshell:${POSTGRES_PASSWORD}@localhost:5432/momshell?sslmode=disable
+# Docker deployment (uses container name "postgres" as host)
+# DATABASE_URL=postgres://momshell:CHANGE_ME@postgres:5432/momshell?sslmode=disable
 
 # ==================== JWT ====================
 # IMPORTANT: Change this in production
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3c5ab154..033c7ee4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,13 +8,12 @@ on:
     branches:
       - "**"
 
-permissions:
-  contents: read
-
 jobs:
   frontend-cq:
     name: Frontend Code Quality
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     defaults:
       run:
@@ -33,7 +32,7 @@ jobs:
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
 
-      - run: npm ci
+      - run: npm ci --ignore-scripts
 
       - name: ESLint
         run: npm run lint
@@ -47,6 +46,8 @@ jobs:
   go-cq:
     name: Go Code Quality
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     defaults:
       run:
diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 9cfd7964..a776b71a 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -48,7 +48,7 @@ func Load() *Config {
 	_ = godotenv.Overload("../.env")
 
 	cfg := &Config{
-		DatabaseURL:               getEnv("DATABASE_URL", "postgres://user:password@localhost:5432/momshell?sslmode=disable"),
+		DatabaseURL:               getEnv("DATABASE_URL", ""),
 		JWTSecretKey:              getEnv("JWT_SECRET_KEY", "change-me-in-production"),
 		JWTAlgorithm:              "HS256",
 		JWTAccessTokenExpireMin:   getEnvInt("JWT_ACCESS_TOKEN_EXPIRE_MINUTES", 30),
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 65e2e134..7f34bfa8 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     restart: unless-stopped
     env_file: ../.env
     environment:
-      DATABASE_URL: postgres://${POSTGRES_USER:-momshell}:${POSTGRES_PASSWORD:-momshell}@postgres:5432/${POSTGRES_DB:-momshell}?sslmode=disable
+      DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
       CORS_ORIGINS: "*"
     ports:
       - "7860:7860"
@@ -19,16 +19,17 @@ services:
     image: postgres:16-alpine
     container_name: momshell-postgres
     restart: unless-stopped
+    env_file: ../.env
     environment:
-      POSTGRES_USER: ${POSTGRES_USER:-momshell}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-momshell}
-      POSTGRES_DB: ${POSTGRES_DB:-momshell}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
     volumes:
       - pgdata:/var/lib/postgresql/data
     expose:
       - "5432"
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-momshell}"]
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
       interval: 5s
       timeout: 3s
       retries: 5