diff --git a/Dockerfile b/Dockerfile
index d5301ac4..f5cdb53e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,13 @@
 FROM nginxinc/nginx-unprivileged:1.27.5-alpine3.21
 
+# Switch to root to create the user
+USER root
+
+# Create app user and group with UID/GID 10001 as per ITHC security requirements
+RUN addgroup -g 10001 -S appgroup && adduser -u 10001 -S appuser -G appgroup
+
+# COPY the build files - the base image already handles proper ownership
 COPY ./build/ /usr/share/nginx/html
+
+# Run as non-root user with UID > 10000 as per ITHC security requirements
+USER 10001
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
index 2e3a8c4f..564bcb30 100644
--- a/terraform/application/application.tf
+++ b/terraform/application/application.tf
@@ -34,4 +34,8 @@ module "web_application" {
   replicas = var.replicas
 
   docker_image = var.docker_image
+
+  run_as_user     = "10001"
+  run_as_group    = "10001"
+  run_as_non_root = var.run_as_non_root
 }
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
index 22c7e480..7ddad61e 100644
--- a/terraform/application/variables.tf
+++ b/terraform/application/variables.tf
@@ -51,6 +51,11 @@ variable "enable_monitoring" {
   description = "Enable monitoring and alerting"
 }
 
+variable "run_as_non_root" {
+  default     = true
+  description = "Run containers as non-root user for security compliance"
+}
+
 locals {
   postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
 }