diff --git a/backend/Dockerfile b/backend/Dockerfile
index e521b909..364fc1a6 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -46,6 +46,11 @@ COPY backend/templates ./templates
 # In-repo these live at `scripts/`; runtime path is `/app/scripts`.
 COPY scripts ./scripts
 
+# Run as non-root user
+RUN groupadd --system appgroup && useradd --system --gid appgroup appuser \
+  && chown -R appuser:appgroup /app
+USER appuser
+
 # Default API port
 EXPOSE 8000
 
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 64c7b179..422032f7 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -38,6 +38,11 @@ COPY --from=builder /app/package.json ./package.json
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/next.config.ts ./next.config.ts
 
+# Run as non-root user
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser \
+  && chown -R appuser:appgroup /app
+USER appuser
+
 EXPOSE 3000
 
 CMD ["npm", "run", "start"]