diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 5382d2a..3b6ed7c 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -11,6 +11,10 @@ on:
         required: false
         default: ''
 
+# Default minimal permissions
+permissions:
+  contents: read
+
 env:
   REGISTRY: ghcr.io
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4652009..c85299f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [main]
 
+# Minimal permissions for security
+permissions:
+  contents: read
+
 jobs:
   # =============================================================================
   # Backend Tests