diff --git a/docker-compose.yml b/docker-compose.yml
index d19cca5..361f74d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,8 @@ services:
     volumes:
       - ./nginx/html:/usr/share/nginx/html:ro
       - ./nginx/conf.d:/etc/nginx/conf.d:ro
-
+    environment:
+      - MEDIA_API_KEY=key-mindboost-media-server # ⇦ beliebig ändern
     labels:
       - "traefik.enable=true"
 
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
deleted file mode 100644
index 8714036..0000000
--- a/nginx/conf.d/default.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-server {
-    listen 80;
-    server_name  localhost;
-
-    # Where your assets live
-    root /usr/share/nginx/html;
-    index index.html;
-
-    # ---------- Default site (HTML/CSS/JS) ----------
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    # ---------- Audio (and optional video) ----------
-    # 30-day cache; adjust max-age as needed.
-    location ~* \.(opus|flac|ogg|mp3|wav|m4a|aac)$ {
-        add_header Cache-Control "public, max-age=2592000" always;
-
-        # Teach Nginx any MIME types it doesn’t already know:
-        types {
-            audio/opus   opus;
-            audio/mpeg   mp3;
-            audio/mp4    m4a;
-            audio/aac    aac;
-            video/mp4    mp4;
-            video/webm   webm;
-        }
-
-        try_files $uri =404;
-    }
-}
diff --git a/nginx/conf.d/default.conf.template b/nginx/conf.d/default.conf.template
new file mode 100644
index 0000000..5322ba3
--- /dev/null
+++ b/nginx/conf.d/default.conf.template
@@ -0,0 +1,50 @@
+# ---------------------------  ENV-Key übernehmen  ---------------------------
+# envsubst ersetzt ${MEDIA_API_KEY} durch den Wert aus docker-compose.yml
+set $secret_key "${MEDIA_API_KEY}";
+
+map $request_method $cors_preflight {
+    "OPTIONS" 1;
+    default   0;
+}
+
+server {
+    listen 80;
+    server_name localhost;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # ---------- Preflight (OPTIONS) ----------
+    if ($cors_preflight = 1) {
+        add_header Access-Control-Allow-Origin "*";
+        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, X-API-Key";
+        add_header Content-Length 0;
+        return 204;
+    }
+
+    # ---------- Geschützte Audio-Ressourcen ----------
+    location ~* \.(opus|flac|ogg|mp3|wav|m4a|aac)$ {
+
+        # --- Key-Check (nur GET/HEAD) ---
+        if ($request_method != "OPTIONS") {
+            if ($http_x_api_key != $secret_key) { return 401; }
+        }
+
+        # --- CORS & Cache ---
+        add_header Access-Control-Allow-Origin "*";
+        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, X-API-Key";
+        add_header Cache-Control "public, max-age=2592000" always;
+
+        # fehlende MIME-Types
+        types { audio/opus opus; audio/flac flac; }
+
+        try_files $uri =404;
+    }
+
+    # ---------- Website / Index ----------
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}