diff --git a/Dockerfile b/Dockerfile
index db21bcf..e2ea02e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.8
+FROM python:3.10
 RUN mkdir -p app
 WORKDIR /app
 
@@ -7,17 +7,20 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/*
 
 ENV SQLITE_EXTENSIONS '/usr/lib/x86_64-linux-gnu/mod_spatialite.so'
-RUN pip install -U datasette
-RUN pip install datasette-block-robots
-RUN pip uninstall -y uvicorn
-RUN pip install uvicorn[standard] gunicorn
-RUN pip install csvkit
+COPY requirements/requirements.txt .
+RUN pip install -r requirements.txt
 
 EXPOSE 5000
 ENV PORT=5000
 
 COPY startup.sh .
 
-ADD templates /app/templates
+COPY templates /app/templates
+
+RUN groupadd --system appuser && \
+    useradd --system --gid appuser --no-create-home appuser && \
+    chown -R appuser:appuser /app
+
+USER appuser
 
 ENTRYPOINT ["bash", "startup.sh"]
diff --git a/Makefile b/Makefile
index 9ed9e45..a3e4792 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,8 @@
-.PHONY: init start clean
+.PHONY: init start clean piptoool-compile piptool-upgrade
 
 init: ./files
+	pip install pip-tools
+	pip-sync requirements/requirements.txt
 
 ./files:
 	@bash download-files.sh $$BUCKET
@@ -11,6 +13,12 @@ start: ./files
 clean:
 	@rm -rf ./files
 
+piptool-compile:
+	pip-compile requirements/requirements.in
+
+piptool-upgrade:
+	pip-compile --upgrade requirements/requirements.in
+
 test-smoke:
 	cd tests/smoke && \
 	pip install -r requirements_test.txt && \
diff --git a/requirements/requirements.in b/requirements/requirements.in
new file mode 100644
index 0000000..a372dca
--- /dev/null
+++ b/requirements/requirements.in
@@ -0,0 +1,5 @@
+datasette
+datasette-block-robots
+uvicorn[standard]
+gunicorn
+csvkit
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
new file mode 100644
index 0000000..9859bf1
--- /dev/null
+++ b/requirements/requirements.txt
@@ -0,0 +1,155 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile requirements.in
+#
+agate==1.14.1
+    # via
+    #   agate-dbf
+    #   agate-excel
+    #   agate-sql
+    #   csvkit
+agate-dbf==0.2.4
+    # via csvkit
+agate-excel==0.4.2
+    # via csvkit
+agate-sql==0.7.3
+    # via csvkit
+aiofiles==25.1.0
+    # via datasette
+anyio==4.12.1
+    # via
+    #   httpx
+    #   watchfiles
+asgi-csrf==0.11
+    # via datasette
+asgiref==3.11.1
+    # via datasette
+babel==2.18.0
+    # via agate
+certifi==2026.1.4
+    # via
+    #   httpcore
+    #   httpx
+click==8.3.1
+    # via
+    #   click-default-group
+    #   datasette
+    #   uvicorn
+click-default-group==1.2.4
+    # via datasette
+csvkit==2.2.0
+    # via -r requirements.in
+datasette==0.65.2
+    # via
+    #   -r requirements.in
+    #   datasette-block-robots
+datasette-block-robots==1.1
+    # via -r requirements.in
+dbfread==2.0.7
+    # via agate-dbf
+et-xmlfile==2.0.0
+    # via openpyxl
+exceptiongroup==1.3.1
+    # via anyio
+flexcache==0.3
+    # via datasette
+flexparser==0.4
+    # via datasette
+greenlet==3.3.1
+    # via sqlalchemy
+gunicorn==25.1.0
+    # via -r requirements.in
+h11==0.16.0
+    # via
+    #   httpcore
+    #   uvicorn
+httpcore==1.0.9
+    # via httpx
+httptools==0.7.1
+    # via uvicorn
+httpx==0.28.1
+    # via datasette
+hupper==1.12.1
+    # via datasette
+idna==3.11
+    # via
+    #   anyio
+    #   httpx
+isodate==0.7.2
+    # via agate
+itsdangerous==2.2.0
+    # via
+    #   asgi-csrf
+    #   datasette
+janus==2.0.0
+    # via datasette
+jinja2==3.1.6
+    # via datasette
+leather==0.4.1
+    # via agate
+markupsafe==3.0.3
+    # via jinja2
+mergedeep==1.3.4
+    # via datasette
+olefile==0.47
+    # via agate-excel
+openpyxl==3.1.5
+    # via
+    #   agate-excel
+    #   csvkit
+packaging==26.0
+    # via gunicorn
+parsedatetime==2.6
+    # via agate
+platformdirs==4.9.2
+    # via datasette
+pluggy==1.6.0
+    # via datasette
+python-dotenv==1.2.1
+    # via uvicorn
+python-multipart==0.0.22
+    # via asgi-csrf
+python-slugify==8.0.4
+    # via agate
+pytimeparse==1.1.8
+    # via agate
+pyyaml==6.0.3
+    # via
+    #   datasette
+    #   uvicorn
+sqlalchemy==2.0.46
+    # via
+    #   agate-sql
+    #   csvkit
+text-unidecode==1.3
+    # via python-slugify
+typing-extensions==4.15.0
+    # via
+    #   anyio
+    #   asgiref
+    #   datasette
+    #   exceptiongroup
+    #   flexcache
+    #   flexparser
+    #   sqlalchemy
+    #   uvicorn
+uvicorn[standard]==0.41.0
+    # via
+    #   -r requirements.in
+    #   datasette
+uvloop==0.22.1
+    # via uvicorn
+watchfiles==1.1.1
+    # via uvicorn
+websockets==16.0
+    # via uvicorn
+xlrd==2.0.2
+    # via
+    #   agate-excel
+    #   csvkit
+
+# The following packages are considered to be unsafe in a requirements file:
+# pip
+# setuptools