diff --git a/Dockerfile b/Dockerfile
index 7573df4..001f562 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,10 @@ WORKDIR /app
 # Copy the current directory contents into the container at /app
 COPY . /app
 
+# Run as non-root user for security
+RUN useradd -m appuser
+USER appuser
+
 # Run poetry install --without dev
 RUN poetry install --only main --no-root 
 
diff --git a/terraform/dashboard/main.tf b/terraform/dashboard/main.tf
index 01e8774..8563857 100644
--- a/terraform/dashboard/main.tf
+++ b/terraform/dashboard/main.tf
@@ -33,6 +33,7 @@ resource "aws_ecs_task_definition" "ecs_service_definition" {
           appProtocol   = "http"
         }
       ],
+      readonlyRootFilesystem = true,
       environment = [
         {
           name  = "AWS_ACCESS_KEY_ID"
@@ -117,10 +118,7 @@ resource "aws_ecs_service" "application" {
   network_configuration {
     subnets         = data.terraform_remote_state.ecs_infrastructure.outputs.private_subnets
     security_groups = [aws_security_group.allow_rules_service.id]
-
-    # TODO: The container fails to launch unless a public IP is assigned
-    # For a private ip, you would need to use a NAT Gateway?
-    assign_public_ip = true
+    assign_public_ip = false
   }
 
 }