diff --git a/.dockerignore b/.dockerignore
index 587ba26ff..563f1b62c 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,5 @@
 .git
 .gitignore
+# Ignore local node_modules because we fetch only production dependencies
+# during the container build.
 node_modules
diff --git a/Dockerfile b/Dockerfile
index d8b233649..5ec5ff351 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,22 @@
-FROM node:12.13.1-alpine
+FROM node:12.18-alpine3.12
 
 EXPOSE 8061
 
-COPY . /iframely
-
 WORKDIR /iframely
 
-RUN apk add --no-cache git && \
-    npm install -g forever && \
-    npm install
+# Create new non-root user
+RUN addgroup -S iframelygroup && adduser -S iframely -G iframelygroup
+
+# This will change the config to `config.<VALUE>.js` and the express server to change its behaviour.
+# You should overwrite this on the CLI with `-e NODE_ENV=production`.
+ENV NODE_ENV=local
+
+## Utilize docker layer cache
+COPY package.json yarn.lock /iframely/
+RUN yarn install --pure-lockfile --production
+
+COPY . /iframely
+
+USER iframely
 
 ENTRYPOINT [ "/iframely/docker/entrypoint.sh" ]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index c461c51c9..0237e6839 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -1,27 +1,3 @@
-#!/bin/ash
+#!/bin/sh
 
-export ARGV="$@"
-export ARGC="$#"
-
-function sigterm_handler() {
-    echo "SIGTERM signal received."
-    forever stopall
-}
-
-trap "sigterm_handler; exit" TERM
-
-function entrypoint() {
-    if [ "$ARGC" -eq 0 ]
-    then
-        # Run server in cluster mode by default
-        forever start cluster.js
-    else
-        # Use command line arguments supplied at runtime
-        forever start $ARGV
-    fi
-
-    forever --fifo logs 0 &
-    wait
-}
-
-entrypoint
+exec node cluster.js