diff --git a/web/Dockerfile b/web/Dockerfile
index c464d0b..0d19ec2 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -25,16 +25,14 @@ RUN bun run build
 # ─────────────────────────────────────────────
 FROM node:22-alpine
 
-# UID 65534 = nobody on Alpine, matches podSecurityContext.runAsUser
-RUN adduser -D -u 65534 -g '' nonroot
-
 WORKDIR /app
 
 COPY --from=builder /app/build ./build
 COPY --from=deps /app/node_modules ./node_modules
 COPY --from=builder /app/package.json .
 
-USER nonroot:nonroot
+# node:22-alpine already ships nobody at UID 65534 — matches podSecurityContext.runAsUser
+USER nobody:nobody
 
 # ORIGIN is required by adapter-node for CSRF protection.
 # Must match the public-facing URL exactly (set via k8s ConfigMap).