kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4a1775d7dfffbeaca8ec9c6be3b26913d08d842
SharepointToolbox-Web/Dockerfile
T
kawa c4a1775d7d Harden auth, headers, and container per OWASP review 
- Add per-account lockout + IP rate limiter on local sign-in (A07)
- Emit CSP and security headers on every response (A05)
- Run container as non-root `app`, /data 0700 (A05/A02)
- Stop reflecting raw token-endpoint body into redirect URL (A09)
- Handle missing refresh_token in connect callback without a 500

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 14:30:19 +02:00

45 lines
1.8 KiB
Docker
Raw Blame History

# Base images pinned to exact patch for reproducible builds. Floating `:10.0` tags
# drift between machines; bump deliberately. (SDK 10.0.203 + runtime 10.0.8.)
FROM mcr.microsoft.com/dotnet/aspnet:10.0.8 AS base
WORKDIR /app
EXPOSE 8080
# curl for the compose healthcheck (aspnet image ships no wget/curl).
RUN apt-get update \
&& apt-get install -y --no-install-recommends curl \
&& rm -rf /var/lib/apt/lists/*
FROM mcr.microsoft.com/dotnet/sdk:10.0.203 AS build
WORKDIR /src
COPY ["SharepointToolbox.Web.csproj", "."]
RUN dotnet restore
COPY . .
# Do NOT add --no-restore here. The restore above runs with only the .csproj present
# (no source, no wwwroot); pairing that cached state with `publish --no-restore`
# silently drops the Blazor framework static assets (wwwroot/_framework/blazor.web.js)
# from the output → the boot script 404s and no interactive circuit starts on any page.
# Letting publish restore against the full project re-materializes them. (Reproduced;
# the early restore above is kept only to cache the NuGet layer.)
RUN dotnet publish -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=build /app/publish .
# Run as the non-root `app` user shipped in the aspnet image (UID 1654) instead of root.
# /data holds the crown jewels (Data Protection keys, app-only certs, the user store), so
# create it owned by `app` with 0700 before declaring the volume — Docker seeds a fresh
# named volume from the image path's ownership/mode, so the running user can write it and
# other host users can't read the keys/certs at rest.
RUN mkdir -p /data \
&& chown -R app:app /app /data \
&& chmod 700 /data
USER app
# Volume for persistent data (profiles, settings, templates, logs, exports)
VOLUME ["/data"]
ENV ASPNETCORE_URLS=http://+:8080
ENV DataFolder=/data
ENTRYPOINT ["dotnet", "SharepointToolbox.Web.dll"]
Reference in New Issue View Git Blame Copy Permalink