diff --git a/backend/Dockerfile b/backend/Dockerfile
index d0c04500..7e0c0c63 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -15,23 +15,19 @@ RUN mkdir -p /app/certs
 EXPOSE 9090
 
 # Create entrypoint script inline (BuildKit heredoc)
+# Note: cert wait is handled by docker-compose depends_on (cert-generator: service_completed_successfully)
 COPY <<'EOF' /entrypoint.sh
 #!/bin/bash
 set -e
 
-while [ ! -f /app/certs/server.key ]; do
-  echo "Waiting for TLS certs..."
-  sleep 2
-done
-
 echo "Starting application..."
 
 exec gunicorn 'app.main:create_app()' \
   -k uvicorn.workers.UvicornWorker \
   --bind 0.0.0.0:443 \
-  --workers 4 \
-  --threads 4 \
-  --timeout 60 \
+  --workers "${WEB_CONCURRENCY:-2}" \
+  --threads "${WEB_THREADS:-4}" \
+  --timeout "${WEB_TIMEOUT:-60}" \
   --graceful-timeout 30 \
   --keep-alive 2 \
   --backlog 2048 \
diff --git a/backend/config.toml b/backend/config.toml
index 6dfa9e18..37416975 100644
--- a/backend/config.toml
+++ b/backend/config.toml
@@ -90,7 +90,7 @@ OTEL_EXPORTER_OTLP_ENDPOINT = "http://otel-collector:4317"
 
 # --8<-- [start:server]
 # Gunicorn / Uvicorn
-WEB_CONCURRENCY = 4
+WEB_CONCURRENCY = 2
 WEB_THREADS = 4
 WEB_TIMEOUT = 60
 WEB_BACKLOG = 2048
diff --git a/docker-compose.yaml b/docker-compose.yaml
index aedb618c..c456492f 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -117,6 +117,10 @@ services:
     networks:
       - app-network
     container_name: backend
+    environment:
+      - WEB_CONCURRENCY=${WEB_CONCURRENCY:-2}
+      - WEB_THREADS=${WEB_THREADS:-4}
+      - WEB_TIMEOUT=${WEB_TIMEOUT:-60}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     healthcheck: