yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: remaining security and deployment hardening (#6 #7 #10)

Browse Source 
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend
This commit is contained in:
Yusuf Suleman
2026-03-29 09:35:39 -05:00
parent 0ed8f1f83e
commit 72747668f9
8 changed files with 102 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
services/budget/Dockerfile
View File

@@ -2,13 +2,17 @@ FROM node:20-alpine
WORKDIR /app
COPY package.json ./
RUN npm install --production
COPY package.json package-lock.json ./
RUN npm ci --production
COPY server.js ./
RUN mkdir -p /app/data
RUN mkdir -p /app/data && chown -R node:node /app/data
EXPOSE 3001
ENV NODE_ENV=production
HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD wget -qO- http://localhost:3001/health || exit 1
USER node
CMD ["node", "server.js"]