diff --git a/backend/Dockerfile b/backend/Dockerfile
index d7cf1401..a8e87052 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -31,7 +31,8 @@ FROM base AS runtime
 
 # Create non-root user before COPY so --chown can reference it.
 # Using COPY --chown avoids a slow recursive chown on overlay2 (docker/for-linux#388).
-RUN groupadd --system appgroup && useradd --system --gid appgroup --create-home appuser
+RUN groupadd --system appgroup && useradd --system --gid appgroup --create-home appuser \
+  && chown appuser:appgroup /app
 
 # Copy virtual environment from deps stage
 COPY --from=deps --chown=appuser:appgroup /app/.venv /app/.venv
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 3869779d..09bf6811 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -33,7 +33,8 @@ ENV NEXT_PUBLIC_AUTH_MODE=${NEXT_PUBLIC_AUTH_MODE}
 
 # Create non-root user before COPY so --chown can reference it.
 # Using COPY --chown avoids a slow recursive chown on overlay2 (docker/for-linux#388).
-RUN addgroup -S appgroup && adduser -S -G appgroup appuser
+RUN addgroup -S appgroup && adduser -S -G appgroup appuser \
+  && chown appuser:appgroup /app
 
 COPY --from=builder --chown=appuser:appgroup /app/.next ./.next
 # `public/` is optional in Next.js apps; repo may not have it.