diff --git a/Dockerfile b/Dockerfile
index 2079512..00b968f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,18 +20,24 @@ RUN pnpm build
 
 FROM base AS runner
 
+# https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#non-root-user
+RUN deluser --remove-home node && addgroup -S node -g 1000 && adduser -S -G node -u 1000 node
+
 # https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#handling-kernel-signals
 RUN apk --no-cache add tini
 
 WORKDIR /garden-snail
 
-COPY package.json pnpm-lock.yaml ./
+RUN chown -R node:node .
+COPY --chown=node:node package.json pnpm-lock.yaml ./
 
 # with NODE_ENV=production pnpm will not install devDependencies 
 ENV NODE_ENV=production
 RUN pnpm install --frozen-lockfile
 
-COPY --from=builder /garden-snail/dist ./dist
+COPY --from=builder --chown=node:node /garden-snail/dist ./dist
+
+USER node
 
 EXPOSE 3000
 ENTRYPOINT ["/sbin/tini", "node", "dist/main"]