diff --git a/Dockerfile b/Dockerfile
index c300455..d38e3e2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,19 +3,20 @@ FROM node:22-alpine AS builder
 
 WORKDIR /app
 
-# Copy package files
+# Copy package files first (better cache layer)
 COPY package.json package-lock.json ./
 
-# Install dependencies (including dev for build)
-RUN npm install --legacy-peer-deps
+# Install dependencies (include optional for native modules like oxc-parser)
+RUN npm install --legacy-peer-deps && \
+    npm cache clean --force
 
 # Copy app source
 COPY . .
 
-# Build app
-RUN npm run build
+# Build app with higher memory limit (prerendering is memory-intensive)
+RUN NODE_OPTIONS="--max-old-space-size=2048" npm run build
 
-# Runtime stage
+# Runtime stage - use distroless for minimal size
 FROM node:22-alpine
 
 WORKDIR /app
@@ -23,18 +24,26 @@ WORKDIR /app
 # Copy package files
 COPY package.json package-lock.json ./
 
-# Install only production dependencies
-RUN npm install --omit=dev --legacy-peer-deps
+# Install production dependencies only with optimizations
+RUN npm install --omit=dev --legacy-peer-deps && \
+    npm cache clean --force && \
+    # Remove unnecessary files
+    rm -rf /root/.npm /root/.cache
 
 # Copy built app from builder
 COPY --from=builder /app/.output ./.output
 
-# Expose port (adjust if needed)
+# Use non-root user for security
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nodejs -u 1001
+
+USER nodejs
+
 EXPOSE 3000
 
 # Health check
 HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
   CMD node -e "require('http').get('http://localhost:3000/', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})"
 
-# Start app
-CMD ["node", ".output/server/index.mjs"]
+# Start app with memory limits
+CMD ["node", "--max-old-space-size=512", ".output/server/index.mjs"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 5a8aed0..554a65a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,17 @@ services:
       - "3000:3000"
     environment:
       - NODE_ENV=production
+      - NODE_OPTIONS=--max-old-space-size=512
     volumes:
-      - ../botasaurus/content/novels:/app/content/novels
-      - ../botasaurus/public/images:/app/public/images
+      - ../botasaurus/content/novels:/app/content/novels:ro
+      - ../botasaurus/public/images:/app/public/images:ro
     restart: unless-stopped
+    # Resource limits for 2vCPU VPS
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1G
+        reservations:
+          cpus: '1'
+          memory: 512M