diff --git a/Dockerfile b/Dockerfile
index 6a8b88d..069d83b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,13 +9,13 @@ RUN npm ci
 COPY . .
 RUN npm run build
 
-# Stage 2: Production
-FROM nginx:stable-alpine AS prod
+# Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
+FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
 
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
-EXPOSE 80
+EXPOSE 8080
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD wget -qO- http://localhost/health || exit 1
+  CMD wget -qO- http://localhost:8080/health || exit 1