diff --git a/backend/Dockerfile b/backend/Dockerfile
index 5854276..53a7675 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,18 +1,41 @@
 # syntax=docker/dockerfile:1
-FROM golang:1.24 AS builder
-WORKDIR /app
 
+# ===== STAGE 1: Build =====
+FROM golang:1.24-alpine AS builder
+
+# Instala certificados SSL para HTTPS
+RUN apk add --no-cache ca-certificates tzdata
+
+WORKDIR /build
+
+# Cache de dependências - só rebuild se go.mod/go.sum mudar
 COPY go.mod go.sum ./
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download && go mod verify
 
+# Copia código fonte
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o /out/performance-core ./cmd/api
+# Build otimizado com cache
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -trimpath -ldflags="-s -w -extldflags '-static'" \
+    -o /app/server ./cmd/api
 
-FROM gcr.io/distroless/base-debian12:nonroot
-WORKDIR /app
+# ===== STAGE 2: Runtime (scratch - imagem mínima ~5MB) =====
+FROM scratch
 
-COPY --from=builder /out/performance-core /app/performance-core
+# Certificados SSL e timezone
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+
+# Binary
+COPY --from=builder /app/server /server
+
+# Usuário não-root (UID 65534 = nobody)
+USER 65534:65534
 
 EXPOSE 8080
-ENTRYPOINT ["/app/performance-core"]
+
+ENTRYPOINT ["/server"]
diff --git a/backoffice/Dockerfile b/backoffice/Dockerfile
index 4a50e43..5580c41 100644
--- a/backoffice/Dockerfile
+++ b/backoffice/Dockerfile
@@ -1,22 +1,44 @@
-FROM node:iron-slim AS base
-RUN corepack enable
+# syntax=docker/dockerfile:1
+
+# ===== STAGE 1: Base =====
+FROM node:22-alpine AS base
+RUN corepack enable && corepack prepare pnpm@latest --activate
 WORKDIR /app
 
+# ===== STAGE 2: Dependencies =====
 FROM base AS deps
 COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile
 
+# Cache do pnpm store para builds mais rápidas
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm install --frozen-lockfile
+
+# ===== STAGE 3: Build =====
 FROM deps AS build
 COPY . .
-RUN pnpm prisma:generate
-RUN pnpm build
+RUN pnpm prisma:generate && pnpm build
+
+# ===== STAGE 4: Production =====
+FROM node:22-alpine AS production
+
+# Cria usuário não-root
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nestjs
 
-FROM base AS production
-ENV NODE_ENV=production
 WORKDIR /app
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --prod --frozen-lockfile
-COPY --from=build /app/dist ./dist
-COPY --from=build /app/prisma ./prisma
+
+# Copia apenas o necessário para produção
+COPY --from=build --chown=nestjs:nodejs /app/dist ./dist
+COPY --from=build --chown=nestjs:nodejs /app/prisma ./prisma
+COPY --from=build --chown=nestjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma
+COPY --from=build --chown=nestjs:nodejs /app/node_modules/@prisma ./node_modules/@prisma
+COPY --from=deps --chown=nestjs:nodejs /app/node_modules ./node_modules
+COPY --chown=nestjs:nodejs package.json ./
+
+ENV NODE_ENV=production
+
+USER nestjs
+
 EXPOSE 3000
+
 CMD ["node", "dist/main.js"]
diff --git a/saveinmed-bff/Dockerfile b/saveinmed-bff/Dockerfile
index 362d6e4..2b64971 100644
--- a/saveinmed-bff/Dockerfile
+++ b/saveinmed-bff/Dockerfile
@@ -1,17 +1,44 @@
-FROM python:3.12-slim
+# syntax=docker/dockerfile:1
+
+# ===== STAGE 1: Builder =====
+FROM python:3.12-slim AS builder
+
+WORKDIR /build
+
+# Instala dependências em virtualenv isolado
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+COPY requirements.txt .
+
+# Cache de pip para builds mais rápidas
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install --upgrade pip && \
+    pip install -r requirements.txt
+
+# ===== STAGE 2: Production =====
+FROM python:3.12-slim AS production
+
+# Variáveis de ambiente Python otimizadas
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/opt/venv/bin:$PATH"
 
 WORKDIR /app
 
-COPY requirements.txt /app/requirements.txt
-RUN pip install --no-cache-dir -r requirements.txt
+# Copia virtualenv do builder
+COPY --from=builder /opt/venv /opt/venv
 
-COPY src /app/src
+# Copia código fonte
+COPY src ./src
+
+# Cria usuário não-root
+RUN useradd --system --no-create-home --uid 1001 appuser && \
+    chown -R appuser:appuser /app
 
-# Opcional: user não-root
-RUN useradd -m appuser
 USER appuser
 
 EXPOSE 8000
 
-# ✅ apontar para o entrypoint correto
-CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"]
+# Uvicorn com workers otimizados
+CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "1"]