Isolate backend and db from host: two Docker networks
- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy - frontend-net: frontend only; single host port binding (80 prod / 5173 dev) - Remove ports: from db (5432) and backend (8000) — unreachable from host - Security auditor: hard rule to never add host ports to db or backend Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
@@ -85,3 +85,4 @@ Key management: private key (`JWT_PRIVATE_KEY`) signs tokens and must never be e
|
||||
- After any code change, verify the pre-commit hook still passes
|
||||
- **Never mount `/var/run/docker.sock` directly into the backend container** — Docker socket access must always go through `tecnativa/docker-socket-proxy` on an internal-only network with a minimal API whitelist. Raw socket access inside any app container is equivalent to root on the host.
|
||||
- **Never spawn `--privileged` containers** or containers with added capabilities for app workloads
|
||||
- **Expose the bare minimum of ports to the host** — only the frontend binds a host port (80 prod / 5173 dev). The database and backend must never have `ports:` in any compose file; they are reachable only via internal Docker networks. If a new service is added, default to no host port binding unless there is an explicit reason.
|
||||
|
||||
Reference in New Issue
Block a user