diff --git a/Dockerfile b/Dockerfile
index b95317e..6917c0d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -100,6 +100,18 @@ COPY *.sh /opt/
 # CIS Docker benchmark: Remove setuid and setgid permissions in the images to prevent privilege escalation attacks within containers.
 RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
 
+
+# cleanup
+RUN apt purge -y  \
+  && apt autoremove --purge -y \
+  && rm -rf /tmp/ \
+  && rm -rf $CATALINA_HOME/webapps/ROOT \
+  && rm -rf $CATALINA_HOME/webapps/docs \
+  && rm -rf $CATALINA_HOME/webapps/examples \
+  && rm -rf $CATALINA_HOME/webapps/host-manager \
+  && rm -rf $CATALINA_HOME/webapps/manager
+
+
 # GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories
 # See also CIS Docker benchmark and docker best practices
 RUN chmod +x /opt/*.sh \
@@ -112,16 +124,6 @@ RUN chmod +x /opt/*.sh \
 
 USER geoserver
 
-# cleanup
-RUN apt purge -y  \
-  && apt autoremove --purge -y \
-  && rm -rf /tmp/ \
-  && rm -rf $CATALINA_HOME/webapps/ROOT \
-  && rm -rf $CATALINA_HOME/webapps/docs \
-  && rm -rf $CATALINA_HOME/webapps/examples \
-  && rm -rf $CATALINA_HOME/webapps/host-manager \
-  && rm -rf $CATALINA_HOME/webapps/manager
-
 WORKDIR /opt
 
 ENTRYPOINT ["/opt/startup.sh"]