diff --git a/Dockerfile b/Dockerfile
index 3892e55..64c1821 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,30 +1,45 @@
-FROM python:3.12-slim
+FROM python:3.12-slim-bookworm
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=1
 
 RUN set -eux; \
-    apt-get update -o Acquire::Retries=5; \
-    apt-get install -y --no-install-recommends -o Acquire::Retries=5 \
-        build-essential \
-        libpq-dev \
-        curl \
-        nodejs \
-        npm \
-        libasound2 \
-        libatk-bridge2.0-0 \
-        libatk1.0-0 \
-        libcups2 \
-        libgbm1 \
-        libgtk-3-0 \
-        libnss3 \
-        libx11-xcb1 \
-        libxcomposite1 \
-        libxdamage1 \
-        libxfixes3 \
-        libxrandr2 \
-        fonts-liberation; \
+    sed -i 's|http://deb.debian.org|https://deb.debian.org|g' /etc/apt/sources.list.d/debian.sources; \
+    printf '%s\n' \
+        'Acquire::Retries "8";' \
+        'Acquire::http::No-Cache "true";' \
+        'Acquire::https::No-Cache "true";' \
+        'Acquire::http::Pipeline-Depth "0";' \
+        'Acquire::BrokenProxy "true";' \
+        > /etc/apt/apt.conf.d/99docker-hardening; \
+    apt-get update; \
+    for attempt in 1 2 3; do \
+        apt-get install -y --no-install-recommends \
+            build-essential \
+            libpq-dev \
+            curl \
+            nodejs \
+            npm \
+            libasound2 \
+            libatk-bridge2.0-0 \
+            libatk1.0-0 \
+            libcups2 \
+            libgbm1 \
+            libgtk-3-0 \
+            libnss3 \
+            libx11-xcb1 \
+            libxcomposite1 \
+            libxdamage1 \
+            libxfixes3 \
+            libxrandr2 \
+            fonts-liberation \
+            && break; \
+        if [ "$attempt" -eq 3 ]; then exit 1; fi; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep "$((attempt * 5))"; \
+        apt-get update; \
+    done; \
     rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app