diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57d1160..ee3a1a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,21 @@
+## 3.2.15
+**Maintainer**: balloon-team <opensource@gyselroth.net>\
+**Date**: Tue Mar 24 16:10:03 CET 2020
+
+### Changes
+* Allow google recaptcha through CSP #292
+
+### Packaging
+* Run nginx master rootless, inherit from nginxinc/nginx-unprivileged instead official docker nginx
+* Disable nginx server token in production build
+
+
 ## 3.2.14
 **Maintainer**: balloon-team <opensource@gyselroth.net>\
 **Date**: Tue Mar 17 11:49:03 CET 2020
 
 ### Changes
-*  Add content-security-policy by default #292
+* Add content-security-policy by default #292
 
 
 ## 3.2.13
diff --git a/Dockerfile b/Dockerfile
index 680748b..858d431 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,3 @@
-FROM nginx:1-alpine
+FROM nginxinc/nginx-unprivileged:1-alpine
 COPY packaging/nginx.conf /etc/nginx/conf.d/default.conf
 COPY build/ /usr/share/balloon-web
diff --git a/packaging/nginx.conf b/packaging/nginx.conf
index 66726fa..c0ed67b 100644
--- a/packaging/nginx.conf
+++ b/packaging/nginx.conf
@@ -1,7 +1,8 @@
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
-add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;";
+add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src https://www.google.com/recaptcha/";
+server_tokens off;
 
 server {
   location / {