-
Dominik Duda authored
docker-compose.yml previously baked POSTGRES_USER=hydrocore / POSTGRES_PASSWORD=hydrocore into the file and exposed 5432 on 0.0.0.0, which means any laptop with this repo and an open firewall was reachable with publicly-known credentials. Changes: - All sensitive env vars (POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, DATABASE_URL, JWT_SECRET_KEY) now use ${VAR:?msg} syntax — Compose refuses to start when they are unset, with an explanatory message - db and redis port mappings switched to 127.0.0.1:PORT:PORT so the services are reachable only from the host loopback - api container also surfaces ENVIRONMENT to the app so the config validator can enforce production hardening end-to-end - .env.example now lists POSTGRES_* as REQUIRED with generation hints - README documents the strong-creds workflowDominik Duda authoreddocker-compose.yml previously baked POSTGRES_USER=hydrocore / POSTGRES_PASSWORD=hydrocore into the file and exposed 5432 on 0.0.0.0, which means any laptop with this repo and an open firewall was reachable with publicly-known credentials. Changes: - All sensitive env vars (POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, DATABASE_URL, JWT_SECRET_KEY) now use ${VAR:?msg} syntax — Compose refuses to start when they are unset, with an explanatory message - db and redis port mappings switched to 127.0.0.1:PORT:PORT so the services are reachable only from the host loopback - api container also surfaces ENVIRONMENT to the app so the config validator can enforce production hardening end-to-end - .env.example now lists POSTGRES_* as REQUIRED with generation hints - README documents the strong-creds workflow
Loading