Harden auth, headers, and container per OWASP review
- Add per-account lockout + IP rate limiter on local sign-in (A07) - Emit CSP and security headers on every response (A05) - Run container as non-root `app`, /data 0700 (A05/A02) - Stop reflecting raw token-endpoint body into redirect URL (A09) - Handle missing refresh_token in connect callback without a 500 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+10
@@ -25,6 +25,16 @@ FROM base AS final
|
||||
WORKDIR /app
|
||||
COPY --from=build /app/publish .
|
||||
|
||||
# Run as the non-root `app` user shipped in the aspnet image (UID 1654) instead of root.
|
||||
# /data holds the crown jewels (Data Protection keys, app-only certs, the user store), so
|
||||
# create it owned by `app` with 0700 before declaring the volume — Docker seeds a fresh
|
||||
# named volume from the image path's ownership/mode, so the running user can write it and
|
||||
# other host users can't read the keys/certs at rest.
|
||||
RUN mkdir -p /data \
|
||||
&& chown -R app:app /app /data \
|
||||
&& chmod 700 /data
|
||||
USER app
|
||||
|
||||
# Volume for persistent data (profiles, settings, templates, logs, exports)
|
||||
VOLUME ["/data"]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user