Kyle Pope
f372e7bd99
- Remove external backend port 8000 exposure (VULN-01) - Conditionally disable Swagger/ReDoc/OpenAPI in non-dev (VULN-01) - Suppress nginx and uvicorn server version headers (VULN-07) - Fix CSP to allow Google Fonts (fonts.googleapis.com/gstatic) (VULN-08) - Add nginx rate limiting on auth endpoints (10r/m burst=5) (VULN-09) - Block dotfile access (/.env, /.git) while preserving .well-known (VULN-10) - Make CORS origins configurable, tighten methods/headers (VULN-11) - Run both containers as non-root users (VULN-12) - Add IP rate limit + account lockout to /change-password Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
32 lines
592 B
Docker
32 lines
592 B
Docker
# Build stage
|
|
FROM node:20-alpine AS build
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy package files
|
|
COPY package*.json ./
|
|
|
|
# Install dependencies
|
|
RUN npm install
|
|
|
|
# Copy source files
|
|
COPY . .
|
|
|
|
# Build the application
|
|
RUN npm run build
|
|
|
|
# Production stage — unprivileged nginx (runs as non-root, listens on 8080)
|
|
FROM nginxinc/nginx-unprivileged:alpine
|
|
|
|
# Copy built files from build stage
|
|
COPY --from=build /app/dist /usr/share/nginx/html
|
|
|
|
# Copy nginx configuration
|
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
|
|
|
# Expose port 8080 (unprivileged)
|
|
EXPOSE 8080
|
|
|
|
# Start nginx
|
|
CMD ["nginx", "-g", "daemon off;"]
|