diff --git a/apps/indeedhub/manifest.yml b/apps/indeedhub/manifest.yml
index 45c8ad3c..f3f5b1cb 100644
--- a/apps/indeedhub/manifest.yml
+++ b/apps/indeedhub/manifest.yml
@@ -25,7 +25,12 @@ app:
     disk_limit: 1Gi
 
   security:
-    capabilities: []
+    # nginx master runs as root and drops workers to the nginx user (uid/gid
+    # 101) — needs SET{UID,GID}; CHOWN + DAC_OVERRIDE let it own + write the
+    # proxy cache under the tmpfs /var/cache/nginx. The orchestrator does
+    # --cap-drop=ALL, so (unlike the legacy `podman run` default caps) these
+    # must be declared or nginx workers die with "setgid(101) failed".
+    capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID]
     readonly_root: false
     network_policy: isolated