diff --git a/Dockerfile b/Dockerfile
index 27dc2771..49a8f787 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,4 +69,5 @@ ENV DATABASE_URL=file:/app/database/hemmelig.db
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
     CMD wget --no-verbose --tries=1 --spider http://localhost:3000/api/health/ready || exit 1
 
+USER app
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh
index cbbda968..f5a8bd94 100644
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -1,8 +1,5 @@
 #!/bin/sh
 set -e
 
-# Fix permissions on mounted volumes (runs as root)
-chown -R app:app /app/database /app/uploads 2>/dev/null || true
-
-# Run migrations and start app as app user
-exec gosu app sh -c 'npx prisma migrate deploy && exec npx tsx server.ts'
+# Run migrations and start app
+sh -c 'npx prisma migrate deploy && exec npx tsx server.ts'