diff --git a/.env_temp b/.env_temp
index d050c99..73ee07f 100644
--- a/.env_temp
+++ b/.env_temp
@@ -1,4 +1,4 @@
-APP_IMAGE=python-insecure-app:latest
+APP_IMAGE=python-insecure-app:wolfi-distroless
 COMPOSE_FILE=docker-compose.yaml
 DEBUG=True
 LETSENCRYPT_EMAIL=info@example.com
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
index 73ad7f4..2181413 100644
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -3,7 +3,7 @@
 FROM python:3.13-alpine@sha256:e5fa639e49b85986c4481e28faa2564b45aa8021413f31026c3856e5911618b1 AS alpine
 
 LABEL project="Python Insecure App" service="FastAPI" stage="alpine"
-# RUN python3 -m pip install --upgrade pip~=25.3
+RUN python3 -m pip install --upgrade pip~=25.3
 ENV NONROOT=nonroot \
 	LANG=C.UTF-8 \
 	LC_ALL=C.UTF-8 \
diff --git a/app/config.py b/app/config.py
index 44c3c1c..0c44241 100644
--- a/app/config.py
+++ b/app/config.py
@@ -10,6 +10,6 @@
 
 PUBLIC_IP_SERVICE_URL = os.getenv("PUBLIC_IP_SERVICE_URL")
 
-SUPER_SECRET_NAME = "John Ripper"  # FIXME: os.getenv("SUPER_SECRET_NAME")
+SUPER_SECRET_NAME = os.getenv("SUPER_SECRET_NAME")
 
-SUPER_SECRET_TOKEN = "5u93R53Cr3tT0k3n"  # FIXME: os.getenv("SUPER_SECRET_TOKEN")
+SUPER_SECRET_TOKEN = os.getenv("SUPER_SECRET_TOKEN")
diff --git a/app/main.py b/app/main.py
index cafefd2..a7d2812 100644
--- a/app/main.py
+++ b/app/main.py
@@ -28,14 +28,13 @@ async def try_hack_me(name: str = config.SUPER_SECRET_NAME):
     """
     try:
         # Get the public IP address from an external service
-        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL)
+        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL, timeout=5)
         public_ip_response.raise_for_status()
     except (requests.HTTPError, requests.exceptions.InvalidSchema):
         public_ip = "Unknown"
     else:
         public_ip = public_ip_response.text
     name = name or config.SUPER_SECRET_NAME
-    content = f"<h1>Hello, {name}!</h1><h2>Public IP: <code>{public_ip}</code></h2>"
-    # https://fastapi.tiangolo.com/advanced/custom-response/#return-a-response
-    # FIXME: return HTMLResponse(content)
-    return Template(content).render()
+    content = "<h1>Hello, {{name}}!</h1><h2>Public IP: <code>{{public_ip}}</code></h2>"
+    # FIXME: https://fastapi.tiangolo.com/advanced/custom-response/#return-a-response
+    return Template(content).render(name=name, public_ip=public_ip)
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index 573234f..4bface7 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -10,7 +10,7 @@
 (waf_rules) {
     coraza_waf {
         directives `
-            SecRuleEngine Off
+            SecRuleEngine On
             SecRequestBodyAccess On
             SecRequestBodyLimitAction Reject
             SecDebugLogLevel 9
diff --git a/requirements/common.in b/requirements/common.in
index 4f3107e..881d9c6 100644
--- a/requirements/common.in
+++ b/requirements/common.in
@@ -1,4 +1,4 @@
 -r base.in
-fastapi[standard]~=0.115.0
-jinja2~=3.0.0
+fastapi[standard]~=0.120.0
+jinja2~=3.1.0
 requests~=2.32.0
diff --git a/tests/test_main.py b/tests/test_main.py
index deb01c6..f51b496 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -35,8 +35,7 @@ def test_root(requests_mock):
         response.content.decode()
         == "<h1>Hello, Bob!</h1><h2>Public IP: <code>123.45.67.89</code></h2>"
     )
-    # TODO
-    # response = client.get("/?name={{7*6}}")
-    # assert response.status_code == 200
-    # assert "42" not in response.content.decode()
-    # assert "{{7*6}}" in response.content.decode()
+    response = client.get("/?name={{7*6}}")
+    assert response.status_code == 200
+    assert "42" not in response.content.decode()
+    assert "{{7*6}}" in response.content.decode()