diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..06cf085
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,15 @@
+.git
+.github
+node_modules
+data
+*.db
+*.db-shm
+*.db-wal
+.env
+.env.*
+!.env.example
+*.log
+.claude
+CLAUDE.md
+TODO.md
+docker-compose.yml
diff --git a/README.md b/README.md
index 8ba8e18..5ac4a50 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,17 @@ docker compose up -d
 
 4. Use the setup wizard to configure your first checking account (organization info, bank info, routing/account numbers), or import an existing ezCheckPrinting `.mdb` file.
 
+#### Upgrading from images before v0.5
+
+The container now runs as the unprivileged `node` user (UID 1000). Existing data
+volumes were written as root, so fix ownership once before upgrading:
+
+```bash
+docker compose down
+docker run --rm -v check-printing-data:/data alpine chown -R 1000:1000 /data
+docker compose up -d
+```
+
 ### Development (local)
 
 ```bash
diff --git a/docker/Dockerfile b/docker/Dockerfile
index dafd214..2a32c25 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,5 +1,7 @@
 FROM node:20-slim
 
+ENV NODE_ENV=production
+
 # mdbtools for migration script (only needed on first run, stays in image for convenience)
 RUN apt-get update && apt-get install -y --no-install-recommends mdbtools && rm -rf /var/lib/apt/lists/*
 
@@ -10,9 +12,13 @@ RUN npm ci --omit=dev
 
 COPY . .
 
-# Data volume: SQLite database and any runtime uploads
+# Data volume: SQLite database and any runtime uploads.
+# Pre-create it owned by the unprivileged user so named volumes inherit ownership.
+RUN mkdir -p /app/data && chown -R node:node /app
 VOLUME ["/app/data"]
 
+USER node
+
 EXPOSE 3000
 
 CMD ["node", "src/app.js"]