diff --git a/roles/exporters/templates/docker-compose.yml.j2 b/roles/exporters/templates/docker-compose.yml.j2
index 36562ae..07b3c25 100644
--- a/roles/exporters/templates/docker-compose.yml.j2
+++ b/roles/exporters/templates/docker-compose.yml.j2
@@ -9,6 +9,8 @@ services:
     networks:
       - internal
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
@@ -22,6 +24,8 @@ services:
     networks:
       - internal
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
diff --git a/roles/loki/templates/docker-compose.yml.j2 b/roles/loki/templates/docker-compose.yml.j2
index 379feb4..229b892 100644
--- a/roles/loki/templates/docker-compose.yml.j2
+++ b/roles/loki/templates/docker-compose.yml.j2
@@ -3,13 +3,18 @@ services:
     image: grafana/loki:3
     command: -config.file=/etc/loki/config.yml
     ports:
-      - "3100:3100"
+      - "127.0.0.1:3100:3100"
     volumes:
       - ./loki-config.yml:/etc/loki/config.yml:ro
       - loki_data:/loki
     networks:
       - monitoring
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
diff --git a/roles/prometheus/templates/docker-compose.yml.j2 b/roles/prometheus/templates/docker-compose.yml.j2
index 397ebcf..8507644 100644
--- a/roles/prometheus/templates/docker-compose.yml.j2
+++ b/roles/prometheus/templates/docker-compose.yml.j2
@@ -15,6 +15,11 @@ services:
     ports:
       - "127.0.0.1:9090:9090"
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m
     labels:
       - com.centurylinklabs.watchtower.enable=true