Files

T

curo1305 d423bea134 Isolate backend and db from host: two Docker networks

- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy
- frontend-net: frontend only; single host port binding (80 prod / 5173 dev)
- Remove ports: from db (5432) and backend (8000) — unreachable from host
- Security auditor: hard rule to never add host ports to db or backend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-14 00:06:38 +02:00

1.2 KiB

Raw Permalink Blame History

2026-04-14 — Docker network isolation: backend and db ports removed from host

Timestamp: 2026-04-14T00:00:00

Summary

Replaced flat single-network Docker setup with two explicit networks. Only the frontend exposes a host port. The database and backend are unreachable from outside the Docker network.

Network architecture

backend-net (internal: true) — db, backend, and frontend reverse proxy; no gateway, no host routing
frontend-net — frontend only; binds port 80 (prod) or 5173 (dev) to the host

Files Modified

docker-compose.yml — removed ports: from db and backend; added networks: to all services; defined backend-net (internal) and frontend-net
docker-compose.dev.yml — no network changes needed (inherits from base); kept 5173:5173 on frontend
.claude/agents/security-auditor.md — added hard rule: only frontend exposes host ports; db and backend must never have ports: in any compose file
TODO.md — marked Docker port hardening as done
README.md — updated Containers table with network column; updated Installation section; removed stale SECRET_KEY env var; noted backend API docs are not directly accessible from host

1.2 KiB Raw Permalink Blame History

2026-04-14 — Docker network isolation: backend and db ports removed from host

Summary

Network architecture

Files Modified

1.2 KiB

Raw Permalink Blame History