diff --git a/Dockerfile b/Dockerfile
index 5919d2a..5929a23 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,32 @@
+# Builder stage
+FROM golang:1.2-bookworm AS builder
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+# Build with CGO enabled for sqlite
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o fitness-app ./main.go
+
+# Runtime stage
 FROM debian:bookworm-slim
 
-# (optional) install ca-certificates if needed
-RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN useradd -m appuser
 
 WORKDIR /app
 
 COPY --from=builder /app/fitness-app /app/fitness-app
 
 # External data dir for sqlite db
-RUN mkdir -p /data
+RUN mkdir -p /data && chown -R appuser:appuser /data
 
 ENV DATABASE_URL=/data/fitness.db
 
-# DO NOT switch user -> run as root
+USER appuser
+
 EXPOSE 8080
 VOLUME ["/data"]