diff --git a/Dockerfile b/Dockerfile
index c7ccf261..09486488 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,31 +1,53 @@
-# First, build the application in the `/app` directory.
+# ---- Stage 1: Builder ----
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
+
+# Install system build tools needed for compiling CFFI and dependencies
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    gcc \
+    libffi-dev \
+    python3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
 ENV UV_COMPILE_BYTECODE=1
 ENV UV_LINK_MODE=copy
 WORKDIR /app
+
+# Install dependencies without dev packages
 RUN --mount=type=cache,target=/root/.cache/uv \
     --mount=type=bind,source=uv.lock,target=uv.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
     uv sync --frozen --no-install-project --no-dev
+
+# Copy all source files
 ADD . /app
+
+# Sync again to install any local project dependencies
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-dev
 
-# Then, use a final image without uv
+# ---- Stage 2: Runtime ----
 FROM python:3.12-slim-bookworm
 
-# Copy the application from the builder
+# Create app user (optional security)
+RUN useradd -m app
+
+# Copy from builder
 COPY --from=builder --chown=app:app /app /app
 
+# Set working dir
 WORKDIR /app
 
-# Set environment variables
+# Set environment
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/app/.venv/bin:$PATH"
 
-# Expose port 8000
+# Set permissions
+USER app
+
+# Expose port
 EXPOSE 8000
 
-# Use gunicorn on port 8000
-CMD ["gunicorn", "--bind", ":8000", "--workers", "2", "django_project.wsgi"]
\ No newline at end of file
+# Start server with Gunicorn
+CMD ["gunicorn", "--bind", ":8000", "--workers", "2", "django_project.wsgi"]