diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..79621be
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b44a890
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..f90859c
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,16 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  compose:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate docker-compose.yml
+        run: docker compose config -q
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7841f62
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+# runtime data managed by the container
+/app/
+/data/
diff --git a/README.md b/README.md
index 10bad60..752334c 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,35 @@
 # docker-TinyFileManager
-The simplest way to use "Tiny File Manager" into a docker environment 
+
+[![CI](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml/badge.svg)](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml)
+
+The simplest way to run [TinyFileManager](https://github.com/prasathmani/tinyfilemanager) in a Docker environment.
+
+## Status
+
+This repo ships a hardened **`docker-compose.yml`** starting point and the security
+checklist below. TinyFileManager itself (`tinyfilemanager.php`) is **not** bundled — you
+provide a pinned copy (see Quick start).
+
+## ⚠️ Security
+
+[TinyFileManager](https://github.com/prasathmani/tinyfilemanager) is a powerful single-file
+PHP file manager. Misconfigured, it exposes your filesystem. Before exposing it:
+
+- **Change the default credentials immediately.** Stock builds ship with
+  `admin / admin@123` and `user / 12345` — anyone who finds the page can log in otherwise.
+- **Pin a recent release.** Older versions have known authentication-bypass / upload CVEs;
+  always run an up-to-date `tinyfilemanager.php`.
+- **Never expose it directly on the Internet.** Put it behind a VPN or a reverse proxy with
+  its own authentication (e.g. basic-auth / SSO), and serve it over HTTPS.
+- **Scope the mounted directory.** Only mount the folder it must manage — never `/` or your
+  whole home directory.
+- **Disable it if unused.** It is an interactive shell-into-your-files; treat it accordingly.
+
+## Quick start
+
+A hardened starting point is in [`docker-compose.yml`](docker-compose.yml) (bound to
+`127.0.0.1`, scoped volumes, `restart: unless-stopped`). Then:
+
+1. Download a pinned `tinyfilemanager.php` release into `./app/`.
+2. Edit its config to set strong credentials (and a per-deployment `$auth_users` / salt).
+3. `docker compose up -d`, then reach it only through your authenticated proxy.
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..15313ef
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,11 @@
+# Starting point for running TinyFileManager in a container.
+# Review the Security section in README.md before exposing this anywhere.
+services:
+  tinyfilemanager:
+    image: php:8.3-apache          # pin to a digest in production
+    ports:
+      - "127.0.0.1:8080:80"        # localhost only; expose via an auth proxy over HTTPS
+    volumes:
+      - ./app:/var/www/html        # place a pinned tinyfilemanager.php (+ config) here
+      - ./data:/var/www/html/data  # the directory it manages (scope it tightly)
+    restart: unless-stopped