diff --git a/dockerfile b/dockerfile
index 089d9a8..74d9e52 100644
--- a/dockerfile
+++ b/dockerfile
@@ -13,13 +13,17 @@ RUN go mod tidy && go build -o codex-server
 # create a smaller final image  
 FROM alpine:latest  
 
-WORKDIR /root/  
+WORKDIR /app  
 
 # copy the built binary from the builder stage  
 COPY --from=builder /app/codex-server .  
 
+# set a non-root user for security  
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup  
+USER appuser  
+
 # expose the port (match your go server's listening port)  
 EXPOSE 61594  
 
 # run the go server  
-CMD ["./codex-server"]
\ No newline at end of file
+ENTRYPOINT ["./codex-server"]