diff --git a/java/online-service/recommend-service/docker-compose.yml b/java/online-service/recommend-service/docker-compose.yml
index 32361f6c..12f25194 100644
--- a/java/online-service/recommend-service/docker-compose.yml
+++ b/java/online-service/recommend-service/docker-compose.yml
@@ -1,5 +1,9 @@
 version: '3.5'
 
+# SECURITY: Set CONSUL_INITIAL_MANAGEMENT_TOKEN environment variable to a random UUID before deployment
+# Example: export CONSUL_INITIAL_MANAGEMENT_TOKEN=$(uuidgen)
+# The default value below is for development only and should be changed in production
+
 services:
   server:
     container_name: recommend-service
@@ -12,6 +16,7 @@ services:
     command: java -jar recommend-service-1.0-SNAPSHOT.jar
     environment:
       CONSUL_HOST: consul
+      CONSUL_TOKEN: ${CONSUL_INITIAL_MANAGEMENT_TOKEN:-CHANGE-ME-IN-PRODUCTION}
     ports:
       - "8080:8080"
     depends_on:
@@ -21,9 +26,9 @@ services:
     container_name: consul-service
     restart: on-failure
     image: consul:1.13.1
-    environment:
-      CONSUL_LOCAL_CONFIG: "{\"skip_leave_on_interrupt\": true}"
-    command: consul agent -server -bootstrap-expect 1 -data-dir=/consul/data -bind=127.0.0.1 -client=0.0.0.0 -ui
+    command: consul agent -server -bootstrap-expect 1 -data-dir=/consul/data -bind=127.0.0.1 -client=0.0.0.0 -ui -hcl="skip_leave_on_interrupt = true" -hcl="acl { enabled = true default_policy = \"deny\" enable_token_persistence = true tokens { initial_management = \"${CONSUL_INITIAL_MANAGEMENT_TOKEN:-CHANGE-ME-IN-PRODUCTION}\" } }"
+    volumes:
+      - consul-data:/consul/data
     ports:
       - "8500:8500"
       - "8600:8600"
@@ -106,6 +111,9 @@ services:
       - "etcd"
       - "minio"
 
+volumes:
+  consul-data:
+
 networks:
   default:
     name: recommend
diff --git a/java/online-service/recommend-service/src/main/resources/bootstrap.yml b/java/online-service/recommend-service/src/main/resources/bootstrap.yml
index 4394208d..fb133a42 100644
--- a/java/online-service/recommend-service/src/main/resources/bootstrap.yml
+++ b/java/online-service/recommend-service/src/main/resources/bootstrap.yml
@@ -3,6 +3,7 @@ spring:
     consul:
       host: ${CONSUL_HOST:localhost}
       port: ${CONSUL_PORT:8500}
+      acl-token: ${CONSUL_TOKEN:}
       config:
         enabled: ${CONSUL_ENABLE:true}
         prefix: ${CONSUL_PREFIX:config}