#7 Transport Security: - Removed legacy _ssl_ctx alias from config.py - proxy.py now uses _internal_ssl_ctx directly (explicitly scoped) - No global TLS bypass remains #10 Deployment Hardening: - Inventory Dockerfile: non-root (node user), health check, production deps - Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready - Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check - Added /health endpoints to inventory and budget (before auth middleware) - All 6 containers now run as non-root with health checks All services verified: gateway, trips, fitness, inventory, budget, frontend
This commit is contained in:
Yusuf Suleman
@@ -68,5 +68,3 @@ _internal_ssl_ctx = ssl.create_default_context()
|
||||
_internal_ssl_ctx.check_hostname = False
|
||||
_internal_ssl_ctx.verify_mode = ssl.CERT_NONE
|
||||
|
||||
# Legacy alias — to be removed once all callers are updated
|
||||
_ssl_ctx = _internal_ssl_ctx
|
||||
|
||||
@@ -6,7 +6,7 @@ import json
|
||||
import urllib.request
|
||||
import urllib.error
|
||||
|
||||
from config import _ssl_ctx
|
||||
from config import _internal_ssl_ctx
|
||||
from database import get_db
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ def proxy_request(target_url, method, headers, body=None, timeout=120):
|
||||
for k, v in headers.items():
|
||||
req.add_header(k, v)
|
||||
|
||||
with urllib.request.urlopen(req, context=_ssl_ctx, timeout=timeout) as resp:
|
||||
with urllib.request.urlopen(req, context=_internal_ssl_ctx, timeout=timeout) as resp:
|
||||
resp_body = resp.read()
|
||||
resp_headers = dict(resp.headers)
|
||||
return resp.status, resp_headers, resp_body
|
||||
|
||||
Reference in New Issue
Block a user