diff --git a/Dockerfile b/Dockerfile
index 370eeab..43973af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 
 FROM ghcr.io/linuxserver/unrar:latest AS unrar
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 3cc4616..651cad7 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -2,7 +2,7 @@
 
 FROM ghcr.io/linuxserver/unrar:arm64v8-latest AS unrar
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/README.md b/README.md
index b16a419..72687fa 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,10 @@ Similarly to the WEBUI_PORT, to set the port to 6887 you need to pass -p 6887:68
 
 This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
 
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -157,6 +161,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-v /config` | Contains all relevant configuration files. |
 | `-v /downloads` | Location of downloads on disk. |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -320,6 +325,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **20.12.24:** - Rebase to Alpine 3.21.
 * **17.07.24:** - Restore qbittorrent-cli as it now supports openssl 3.
 * **25.05.24:** - Rebase to Alpine 3.20, remove qbittorrent-cli as it still requires openssl 1.1 which is EOL.
 * **14.02.24:** - Only set/override torrenting port if the optional env var is set.
diff --git a/readme-vars.yml b/readme-vars.yml
index 4c75ac9..057e844 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -34,6 +34,7 @@ opt_param_usage_include_vols: true
 opt_param_volumes:
   - {vol_path: "/downloads", vol_host_path: "/path/to/downloads", desc: "Location of downloads on disk."}
 readonly_supported: true
+nonroot_supported: true
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -99,6 +100,7 @@ init_diagram: |
   "qbittorrent:libtorrentv1" <- Base Images
 # changelog
 changelogs:
+  - {date: "20.12.24:", desc: "Rebase to Alpine 3.21."}
   - {date: "17.07.24:", desc: "Restore qbittorrent-cli as it now supports openssl 3."}
   - {date: "25.05.24:", desc: "Rebase to Alpine 3.20, remove qbittorrent-cli as it still requires openssl 1.1 which is EOL."}
   - {date: "14.02.24:", desc: "Only set/override torrenting port if the optional env var is set."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run b/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
index 0303424..25dd5ef 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
@@ -9,11 +9,13 @@ if [[ ! -f /config/qBittorrent/qBittorrent.conf ]]; then
     cp /defaults/qBittorrent.conf /config/qBittorrent/qBittorrent.conf
 fi
 
-# chown download directory if currently not set to abc
-if grep -qe ' /downloads ' /proc/mounts; then
-    lsiown abc:abc /downloads
-fi
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    # chown download directory if currently not set to abc
+    if grep -qe ' /downloads ' /proc/mounts; then
+        lsiown abc:abc /downloads
+    fi
 
-# permissions
-lsiown -R abc:abc \
-    /config
+    # permissions
+    lsiown -R abc:abc \
+        /config
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run b/root/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
index a03e7fb..8dbcd7b 100755
--- a/root/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
@@ -11,6 +11,12 @@ if [[ -z ${WEBUI_ADDRESS} ]] || [[ ${WEBUI_ADDRESS} == "*" ]]; then
     WEBUI_ADDRESS="localhost"
 fi
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z ${WEBUI_ADDRESS} ${WEBUI_PORT}" \
-        s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" ${TORRENTING_PORT_ARG}
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z ${WEBUI_ADDRESS} ${WEBUI_PORT}" \
+            s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" ${TORRENTING_PORT_ARG}
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z ${WEBUI_ADDRESS} ${WEBUI_PORT}" \
+            /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" ${TORRENTING_PORT_ARG}
+fi