diff --git a/Dockerfile b/Dockerfile
index e20016dc0..ea505715b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ WORKDIR /app
 
 # --- Install + Build in one stage ---
 FROM base AS builder
-ARG CACHE_BUST=2
+ARG CACHE_BUST=6
 COPY . .
 RUN pnpm install --no-frozen-lockfile
 ENV NEXT_TELEMETRY_DISABLED=1
@@ -14,9 +14,11 @@ ENV NEXT_TELEMETRY_DISABLED=1
 ARG NEXT_PUBLIC_SITE_URL=https://myeasycms.de
 ARG NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000
 ARG NEXT_PUBLIC_SUPABASE_PUBLIC_KEY
+ARG NEXT_PUBLIC_DEFAULT_LOCALE=de
 ENV NEXT_PUBLIC_SITE_URL=${NEXT_PUBLIC_SITE_URL}
 ENV NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
 ENV NEXT_PUBLIC_SUPABASE_PUBLIC_KEY=${NEXT_PUBLIC_SUPABASE_PUBLIC_KEY}
+ENV NEXT_PUBLIC_DEFAULT_LOCALE=${NEXT_PUBLIC_DEFAULT_LOCALE}
 RUN pnpm --filter web build
 
 # --- Run ---
diff --git a/docker-compose.yml b/docker-compose.yml
index 8d5cebab6..d22bbcf07 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -321,13 +321,16 @@ services:
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_SITE_URL: ${SITE_URL:-http://localhost:3000}
-      # NEXT_PUBLIC_ vars are baked at build time — runtime values only apply
-      # to middleware/API routes. Don't override with Docker-internal URLs.
+      # Browser-side: external domain (baked at build time, re-stated here for SSR)
+      NEXT_PUBLIC_SUPABASE_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
+      NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
+      NEXT_PUBLIC_DEFAULT_LOCALE: de
+      # Server-side: Docker-internal URL (avoids hairpin NAT / DNS issues)
+      SUPABASE_INTERNAL_URL: http://supabase-kong:8000
       SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
       SUPABASE_DB_WEBHOOK_SECRET: ${DB_WEBHOOK_SECRET:-webhooksecret}
       EMAIL_SENDER: ${EMAIL_SENDER:-noreply@myeasycms.de}
       NEXT_PUBLIC_PRODUCT_NAME: MyEasyCMS
-      NEXT_PUBLIC_DEFAULT_LOCALE: de
       NEXT_PUBLIC_ENABLE_THEME_TOGGLE: "true"
       NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: "true"
       NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: "true"
diff --git a/packages/supabase/src/get-supabase-client-keys.ts b/packages/supabase/src/get-supabase-client-keys.ts
index 1f3a3eee9..3afab122e 100644
--- a/packages/supabase/src/get-supabase-client-keys.ts
+++ b/packages/supabase/src/get-supabase-client-keys.ts
@@ -2,8 +2,18 @@ import * as z from 'zod';
 
 /**
  * Returns and validates the Supabase client keys from the environment.
+ *
+ * On the server, prefers SUPABASE_INTERNAL_URL (Docker-internal)
+ * over NEXT_PUBLIC_SUPABASE_URL (external domain) to avoid
+ * hairpin NAT / DNS issues in containerized deployments.
  */
 export function getSupabaseClientKeys() {
+  const isServer = typeof window === 'undefined';
+
+  const url = isServer
+    ? (process.env.SUPABASE_INTERNAL_URL || process.env.NEXT_PUBLIC_SUPABASE_URL)
+    : process.env.NEXT_PUBLIC_SUPABASE_URL;
+
   return z
     .object({
       url: z.string({
@@ -14,7 +24,7 @@ export function getSupabaseClientKeys() {
       }),
     })
     .parse({
-      url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+      url,
       publicKey: process.env.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY,
     });
 }