diff --git a/Dockerfile.whip-test b/Dockerfile.whip-test
index dececa21..5d46d007 100644
--- a/Dockerfile.whip-test
+++ b/Dockerfile.whip-test
@@ -12,7 +12,10 @@ COPY go.mod go.sum ./
 COPY vendor/ ./vendor/
 
 # Now copy source and build. This layer rebuilds on any .go file change.
+# Do NOT include local configuration or secret files in the build context.
+# Ensure your .dockerignore excludes config files (e.g. config.json, v1.json, .env).
 COPY . .
+# If you need build-time secrets, use BuildKit secrets and `RUN --mount=type=secret,...`.
 RUN make release && make import && make ffmigrate
 
 FROM $FFMPEG_IMAGE
@@ -31,7 +34,11 @@ ENV CORE_DB_DIR=/core/config
 ENV CORE_WHIP_ENABLE=true
 ENV CORE_WHIP_ADDRESS=:8555
 ENV CORE_WHIP_RTSP_ADDRESS=:8554
-ENV CORE_API_AUTH_ENABLE=false
+# Security note: do not hardcode sensitive configuration or secrets in the image.
+# Set runtime flags and secrets when launching the container instead, for example:
+#   docker run -e CORE_API_AUTH_ENABLE=false ...
+# The following env is intentionally left unset in the image to avoid baking config:
+# ENV CORE_API_AUTH_ENABLE=false
 ENV CORE_RTMP_ENABLE=true
 ENV CORE_SRT_ENABLE=true
 ENV CORE_PLAYOUT_ENABLE=true