Kyle Pope
f372e7bd99
- Remove external backend port 8000 exposure (VULN-01) - Conditionally disable Swagger/ReDoc/OpenAPI in non-dev (VULN-01) - Suppress nginx and uvicorn server version headers (VULN-07) - Fix CSP to allow Google Fonts (fonts.googleapis.com/gstatic) (VULN-08) - Add nginx rate limiting on auth endpoints (10r/m burst=5) (VULN-09) - Block dotfile access (/.env, /.git) while preserving .well-known (VULN-10) - Make CORS origins configurable, tighten methods/headers (VULN-11) - Run both containers as non-root users (VULN-12) - Add IP rate limit + account lockout to /change-password Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
38 lines
817 B
YAML
38 lines
817 B
YAML
services:
|
|
db:
|
|
image: postgres:16-alpine
|
|
restart: unless-stopped
|
|
env_file: .env
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U $POSTGRES_USER -d $POSTGRES_DB"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
backend:
|
|
build: ./backend
|
|
restart: unless-stopped
|
|
env_file: .env
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8000/health')\""]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
frontend:
|
|
build: ./frontend
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:8080"
|
|
depends_on:
|
|
backend:
|
|
condition: service_healthy
|
|
|
|
volumes:
|
|
postgres_data:
|