diff --git a/pyproject.toml b/pyproject.toml
index 39586e1b72..63a856ca34 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -47,6 +47,7 @@ ruyaml = "0.91.0"
 six = "1.16.0"
 social-auth-app-django = "5.4.0"
 uwsgi = "2.0.23"
+security = "==1.3.0"
 
 [tool.poetry.group.lint]
 optional = true
diff --git a/python/adcm/settings.py b/python/adcm/settings.py
index 7259917b5a..343a337f3e 100644
--- a/python/adcm/settings.py
+++ b/python/adcm/settings.py
@@ -392,3 +392,4 @@ def get_db_options() -> dict:
 STDOUT_STDERR_TRUNCATED_LOG_MESSAGE = "<Truncated. Download full version via link>"
 
 TEST_RUNNER = "adcm.tests.runner.SubTestParallelRunner"
+SESSION_COOKIE_SECURE = True
diff --git a/python/cm/services/job/run/_task.py b/python/cm/services/job/run/_task.py
index aa00e6058e..f3297d0ccc 100644
--- a/python/cm/services/job/run/_task.py
+++ b/python/cm/services/job/run/_task.py
@@ -21,6 +21,7 @@
 from cm.issue import lock_affected_objects
 from cm.models import TaskLog
 from cm.utils import get_env_with_venv_path
+from security import safe_command
 
 logger = logging.getLogger("adcm")
 
@@ -50,7 +51,6 @@ def _run_task(task: TaskLog, command: Literal["start", "restart"]):
         str(task.pk),
     ]
     logger.info("task run cmd: %s", " ".join(cmd))
-    proc = subprocess.Popen(  # noqa: SIM115
-        args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)
+    proc = safe_command.run(subprocess.Popen, args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)
     )
     logger.info("task run #%s, python process %s", task.pk, proc.pid)
diff --git a/python/core/job/executors.py b/python/core/job/executors.py
index 3c05f8d730..2dbbabae22 100644
--- a/python/core/job/executors.py
+++ b/python/core/job/executors.py
@@ -20,6 +20,7 @@
 from typing_extensions import Self
 
 from core.job.types import BundleInfo
+from security import safe_command
 
 
 class ExecutionResult(NamedTuple):
@@ -99,8 +100,7 @@ def execute(self) -> Self:
         self._open_logs(log_dir=self._config.work_dir, log_prefix=self.script_type)
 
         os.chdir(self._config.bundle.root)
-        self._process = subprocess.Popen(
-            command,  # noqa S603
+        self._process = safe_command.run(subprocess.Popen, command,  # noqa S603
             env=environment,
             stdout=self._out_log,
             stderr=self._err_log,

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/arenadata/adcm/compare/develop...Pixee-Bot-Python:adcm:develop.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/arenadata/adcm/compare/develop...Pixee-Bot-Python:adcm:develop.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/arenadata/adcm/compare/develop...Pixee-Bot-Python:adcm:develop.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/arenadata/adcm/compare/develop...Pixee-Bot-Python:adcm:develop.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>