diff --git a/core/base/Dockerfile b/core/base/Dockerfile
index d5be6a90..35bcbd15 100644
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@@ -12,7 +12,15 @@ ARG MAILU_GID=1000
 RUN set -euxo pipefail \
   ; addgroup -Sg ${MAILU_GID} mailu \
   ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \
-  ; apk add --no-cache bash ca-certificates curl python3 tzdata
+  ; apk add --no-cache bash ca-certificates curl python3 tzdata \
+  ; machine="$(uname -m)" \
+  ; if [[ "${machine}" == x86_64 || "${machine}" == armv8* || "${machine}" == aarch64 ]] \
+  ; then \
+      echo "Installing hardened-malloc" \
+  ;   apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc \
+  ; fi
+
+ENV LD_PRELOAD=/usr/lib/libhardened_malloc.so
 
 WORKDIR /app
 
diff --git a/docs/configuration.rst b/docs/configuration.rst
index d411d2c7..ba75e0bf 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -287,6 +287,10 @@ The admin service stores configurations in a database.
 - ``DB_USER``: the database user for mailu admin service. (when not ``sqlite``)
 - ``DB_NAME``: the database name for mailu admin service. (when not ``sqlite``)
 
+Alternatively, if you need more control, you can use a `DB URL`_ : do not set any of the ``DB_`` settings and set ``SQLALCHEMY_DATABASE_URI`` instead.
+
+.. _`DB URL`: https://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls
+
 The roundcube service stores configurations in a database.
 
 - ``ROUNDCUBE_DB_FLAVOR``: the database type for roundcube service. (``sqlite``, ``postgresql``, ``mysql``)
diff --git a/towncrier/newsfragments/2525.feature b/towncrier/newsfragments/2525.feature
new file mode 100644
index 00000000..634733c7
--- /dev/null
+++ b/towncrier/newsfragments/2525.feature
@@ -0,0 +1 @@
+Switch to GrapheneOS's hardened_malloc