diff --git a/nginx/scripts/docker_entrypoint.sh b/nginx/scripts/docker_entrypoint.sh
index 5764d84c6..ea2973cc3 100755
--- a/nginx/scripts/docker_entrypoint.sh
+++ b/nginx/scripts/docker_entrypoint.sh
@@ -177,6 +177,7 @@ EOF
     # rewrite modified copy of user ldap configuration to point to local end of tunnel instead of remote
     rm -f "$NGINX_RUNTIME_LDAP_CONF"
     touch "$NGINX_RUNTIME_LDAP_CONF"
+    chmod 600 "$NGINX_RUNTIME_LDAP_CONF"
     READ_LINE_NUM=0
     while IFS= read -r LINE; do
       READ_LINE_NUM=$((READ_LINE_NUM+1))
@@ -192,6 +193,7 @@ EOF
     # however, we do want to set SSL CA trust stuff if specified, so do that
     rm -f "$NGINX_RUNTIME_LDAP_CONF"
     touch "$NGINX_RUNTIME_LDAP_CONF"
+    chmod 600 "$NGINX_RUNTIME_LDAP_CONF"
     READ_LINE_NUM=0
     while IFS= read -r LINE; do
       READ_LINE_NUM=$((READ_LINE_NUM+1))
diff --git a/scripts/control.py b/scripts/control.py
index bc827a784..3fc15b7e6 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -433,11 +433,13 @@ def start():
 
   # make sure permissions are set correctly for the nginx worker processes
   for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')),
-                   os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')),
                    os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')),
                    os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata'))]:
     # chmod 644 authFile
     os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+  for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf'))]:
+    # chmod 600 authFile
+    os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR)
 
   # make sure some directories exist before we start
   for path in [os.path.join(MalcolmPath, 'elasticsearch'),