generated from bisco/codex-bootstrap
feat: add optional letsencrypt tls
This commit is contained in:
+12
-7
@@ -11,21 +11,26 @@
|
||||
the application images run as non-root users.
|
||||
- `.env` is ignored. `.env.example` contains replaceable development placeholders,
|
||||
never production credentials. Use a deployment secret manager outside local use.
|
||||
- `DJANGO_DEBUG` must be false and allowed hosts explicit outside development. Add TLS
|
||||
at the edge before public exposure.
|
||||
- `DJANGO_DEBUG` must be false and allowed hosts explicit outside development. Public
|
||||
traffic must use either the optional direct TLS mode or TLS at a load balancer.
|
||||
- Database and uploaded media backups may contain personal data. Restrict, encrypt,
|
||||
retain, and delete them according to the operator's privacy policy.
|
||||
- Avoid placing personal phone numbers or private contact details in logs. The API
|
||||
legitimately exposes only contact details approved for publication.
|
||||
- Dependency and image versions are explicit. Operators remain responsible for patch
|
||||
upgrades, vulnerability scans, and production digest pinning.
|
||||
- NGINX forwards the original host and standard client/protocol headers. The local
|
||||
configuration is HTTP-only; production must add TLS and ensure application ports are
|
||||
not externally reachable.
|
||||
- NGINX forwards the original host and standard client/protocol headers. Django trusts
|
||||
`X-Forwarded-Proto: https`; therefore direct proxy access must be limited to trusted
|
||||
networks when a load balancer supplies that header. The NGINX mapping accepts only
|
||||
the literal `https` value as secure.
|
||||
- Optional Certbot uses a pinned image, a read-only root filesystem, no Docker socket,
|
||||
and only the certificate/challenge volumes. NGINX reads private keys from the
|
||||
certificate volume but cannot modify them. Restrict and back up that volume as
|
||||
sensitive material.
|
||||
- The Playwright image is pinned and enabled only through the test Compose profile. It
|
||||
receives no credentials, publishes no host ports, and tests only the local portal.
|
||||
The override uses a separate PostgreSQL volume so its seed cannot overwrite normal
|
||||
CMS content.
|
||||
|
||||
Manual production hardening remains required for reverse proxy headers, TLS, media
|
||||
storage, backup retention, monitoring, and admin network policy.
|
||||
Manual production hardening remains required for proxy trust boundaries, media
|
||||
storage, backup retention, monitoring, firewalling, and admin network policy.
|
||||
|
||||
Reference in New Issue
Block a user