diff --git a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
index c7fa7cca..cb4d1a87 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
@@ -46,6 +46,8 @@ public class SecurityConfig {
                 .csrf(csrf -> csrf.disable())
 
                 .authorizeHttpRequests(auth -> {
+                    // Health endpoint must be open so CI/Docker health checks work without credentials
+                    auth.requestMatchers("/actuator/health").permitAll();
                     // In dev, allow unauthenticated access to the OpenAPI spec and Swagger UI
                     if (environment.matchesProfiles("dev")) {
                         auth.requestMatchers(