diff --git a/backend/Dockerfile b/backend/Dockerfile
index 52f2acb..83104b7 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,10 +1,16 @@
 FROM python:3.11-slim
 
+# Install gosu for privilege dropping
+RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
 
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
diff --git a/backend/entrypoint.sh b/backend/entrypoint.sh
new file mode 100644
index 0000000..af78a19
--- /dev/null
+++ b/backend/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# Default values
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Create group if it doesn't exist
+if ! getent group $PGID > /dev/null; then
+  addgroup --gid $PGID appuser 2>/dev/null || true
+fi
+
+# Create user if it doesn't exist
+if ! getent passwd $PUID > /dev/null; then
+  useradd -u $PUID -g $PGID -m -s /bin/bash appuser 2>/dev/null || true
+fi
+
+# Set ownership of app directory
+mkdir -p /app/data
+chown -R $PUID:$PGID /app
+
+# Run command as the created user
+exec gosu $PUID:$PGID python -m uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload
diff --git a/docker-compose.yml b/docker-compose.yml
index 8001f1f..0139c99 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,7 +12,8 @@ services:
       - ./data:/app/data
     environment:
       - DATABASE_URL=sqlite:///./data/drugs.db
-    command: uvicorn app.main:app --host ${BACKEND_HOST} --port 8000 --reload
+      - PUID=1001
+      - PGID=1001
 
   frontend:
     image: nginx:alpine