diff --git a/.env.example b/.env.example
index 0fbe62c..04a87ae 100644
--- a/.env.example
+++ b/.env.example
@@ -12,6 +12,9 @@ PGID=1000
 PORT=3000
 CORS_ORIGINS=http://localhost:4174
 LOG_LEVEL=info
+# Levels: debug, info, warn, error, silent
+# Controls: backend Fastify logging, frontend nginx access logs (Docker),
+#           and frontend browser console (via build-time injection)
 
 # Rate limit: max requests per minute per IP (default: 100)
 # Increase for development/testing environments
diff --git a/docker-compose.yml b/docker-compose.yml
index 3915cde..64de583 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,6 +35,8 @@ services:
   frontend:
     image: ghcr.io/danielvolz/medassist-ng-frontend:latest
     container_name: medassist-ng-frontend
+    env_file:
+      - .env
     environment:
       - BACKEND_URL=backend:3000
     ports:
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index b5a90b1..edf2be7 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -41,6 +41,10 @@ RUN sed -i 's|include /etc/nginx/conf.d/\*.conf;|include /tmp/default.conf;|' /e
 # nginx-unprivileged automatically substitutes env vars in .template files
 COPY nginx.conf /etc/nginx/templates/default.conf.template
 
+# Copy entrypoint wrapper (translates LOG_LEVEL → nginx access log control)
+COPY nginx-entrypoint.sh /nginx-entrypoint.sh
+RUN chmod +x /nginx-entrypoint.sh
+
 # Copy built static files with correct ownership (nginx user = uid 101)
 COPY --from=builder --chown=101:101 /app/dist /usr/share/nginx/html
 
@@ -50,5 +54,6 @@ EXPOSE 8080
 # Already runs as non-root (nginx user, uid 101)
 USER nginx
 
-# Start nginx (entrypoint processes templates automatically)
+# Use wrapper entrypoint that maps LOG_LEVEL to nginx config
+ENTRYPOINT ["/nginx-entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/frontend/nginx-entrypoint.sh b/frontend/nginx-entrypoint.sh
new file mode 100755
index 0000000..db3a200
--- /dev/null
+++ b/frontend/nginx-entrypoint.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+# =============================================================================
+# Frontend entrypoint wrapper
+# Translates LOG_LEVEL into nginx access log control before
+# delegating to the standard nginx-unprivileged entrypoint.
+#
+# LOG_LEVEL=debug|info  → access logs enabled  (default)
+# LOG_LEVEL=warn|error|fatal|silent → access logs suppressed
+# =============================================================================
+
+case "${LOG_LEVEL:-info}" in
+  warn|error|fatal|silent)
+    export NGINX_ACCESS_LOG="off"
+    ;;
+  *)
+    export NGINX_ACCESS_LOG="/dev/stdout"
+    ;;
+esac
+
+# Delegate to the original nginx-unprivileged entrypoint
+exec /docker-entrypoint.sh "$@"
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 48ab14e..36949ab 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -6,6 +6,9 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Access log control (suppressed when LOG_LEVEL is warn or higher)
+    access_log ${NGINX_ACCESS_LOG};
+
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;