Go-live hardening: server_tokens, resource limits, pinned images, CVE fixes

- Add server_tokens off to nginx (suppress version leakage) - Add deploy.resources.limits to all containers (db: 512M, api: 256M, nginx: 64M) - Pin image tags: mysql:8.0 → 8.0.45, nginx:alpine → 1.29.6-alpine - Fix CVEs: cryptography 43.0.3 → 46.0.5 (HIGH), python-jose 3.3.0 → 3.4.0 (CRITICAL) - Add .limit(500) to GET /api/flock and GET /api/admin/users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 00:16:28 -07:00
parent 59f9685e2b
commit 392a48dfb9
5 changed files with 23 additions and 5 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,8 +4,13 @@ services:
  # MYSQL_ROOT_PASSWORD and MYSQL_PASSWORD should each be 20+ random characters.
  # Generate with: openssl rand -hex 16
  db:
-    image: mysql:8.0
+    image: mysql:8.0.45
    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 512M
    env_file: .env
    logging:
      driver: json-file
@@ -33,6 +38,11 @@ services:
  api:
    build: ./backend
    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 256M
    env_file: .env
    logging:
      driver: json-file
@@ -58,8 +68,13 @@ services:

  # ── Nginx ────────────────────────────────────────────────────────────────────
  nginx:
-    image: nginx:alpine
+    image: nginx:1.29.6-alpine
    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 64M
    logging:
      driver: json-file
      options: