what is a safe way to add an immutable flag to a created docker container?

I have a docker image that can run in two modes DEV and PROD.
Dev is insecure (e.g does not validate for credentials, CORS is allowed etc’) while PROD is secure.

Is there a safe method (e.g by leveraging environment variable, docker config, docker secrets..) to set the flag in the created container to PROD and be reasonable sure it can not be later set to DEV by an adversary, resulting a security breach?

(docker is running within a docker swarm)

Source: StackOverflow