diff --git a/ocr-service/Dockerfile b/ocr-service/Dockerfile
index 2de1d862..e6d60360 100644
--- a/ocr-service/Dockerfile
+++ b/ocr-service/Dockerfile
@@ -23,8 +23,16 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+RUN useradd --no-create-home --shell /usr/sbin/nologin --uid 1000 ocr \
+    && mkdir -p /home/ocr /app/models /app/cache \
+    && chown -R ocr:ocr /app /home/ocr
 RUN chmod +x /app/entrypoint.sh
 
+ENV HOME=/home/ocr
+ENV HF_HOME=/app/cache
+
+USER ocr
+
 EXPOSE 8000
 
 CMD ["/app/entrypoint.sh"]