diff --git a/docker-compose.production.yml b/docker-compose.production.yml
index b08bb4f6..331967e7 100644
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -170,13 +170,14 @@ services:
     cap_drop:
       - ALL
 
-    # Use entrypoint script to inject password from Docker Secret into config
+    # Use entrypoint script to inject password from Docker Secret into environment
+    # This makes password available to both Redis startup AND health check
     # Note: Script runs as root to read Docker Secrets, then starts Redis
     entrypoint: ["/bin/sh", "-c"]
     command:
       - |
-        # Read password from Docker Secret (as root)
-        REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
+        # Read password from Docker Secret (as root) and export for health check
+        export REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
         # Start Redis with all settings as command line arguments (no config file to avoid conflicts)
         if [ -n "$$REDIS_PASSWORD" ]; then
           exec redis-server \
@@ -208,12 +209,13 @@ services:
           cpus: '0.5'
 
     # Stricter health checks
+    # Uses REDIS_PASSWORD environment variable exported by entrypoint
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep -q PONG || redis-cli -a \"$$(cat /run/secrets/redis_password 2>/dev/null)\" ping | grep -q PONG"]
+      test: ["CMD-SHELL", "redis-cli -a \"$$REDIS_PASSWORD\" ping | grep -q PONG"]
       interval: 10s
       timeout: 3s
       retries: 5
-      start_period: 10s
+      start_period: 30s
 
     # JSON logging
     logging: