diff --git a/docker/Dockerfile b/docker/Dockerfile
index 7a8d980..506789a 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:3.18
-LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools
+LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools
 
 # TARGETPLATFORM is injected by docker build
 ARG TARGETPLATFORM
diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
index 0d4b19e..03bdb73 100644
--- a/docker/server/Dockerfile
+++ b/docker/server/Dockerfile
@@ -2,13 +2,17 @@ ARG VERSION=latest
 
 # kiwix-tools is multi-arch
 FROM ghcr.io/kiwix/kiwix-tools:$VERSION
-LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools
+LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools
 
 # expose kiwix-serve default port and workdir
 EXPOSE 8080
 VOLUME /data
 WORKDIR /data
 
+# running as a named unprivileged user
+RUN addgroup -S user && adduser -S user -G user
+USER user
+
 COPY ./start.sh /usr/local/bin/
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/start.sh"]