Harden runtime configuration and container security defaults
This commit is contained in:
Alfredo Di Stasio
25
README.md
25
README.md
@ -95,6 +95,7 @@ docker compose exec web python manage.py createsuperuser
|
||||
|
||||
- `web` service starts through `entrypoint.sh` and waits for PostgreSQL readiness.
|
||||
- `web` service also builds Tailwind CSS before `collectstatic` when `AUTO_BUILD_TAILWIND=1`.
|
||||
- `web`, `celery_worker`, `celery_beat`, and `tailwind` run as a non-root user inside the image.
|
||||
- `celery_worker` executes background sync work.
|
||||
- `celery_beat` supports scheduled jobs (future scheduling strategy can be added per provider).
|
||||
- `tailwind` service runs watch mode for development (`npm run dev`).
|
||||
@ -156,6 +157,30 @@ docker compose up tailwind
|
||||
```
|
||||
|
||||
Source CSS lives in `static/src/tailwind.css` and compiles to `static/css/main.css`.
|
||||
HTMX is served from local static assets (`static/vendor/htmx.min.js`) instead of a CDN dependency.
|
||||
|
||||
## Production Configuration
|
||||
|
||||
Use production settings in deployed environments:
|
||||
|
||||
```bash
|
||||
DJANGO_SETTINGS_MODULE=config.settings.production
|
||||
DJANGO_DEBUG=0
|
||||
DJANGO_ENV=production
|
||||
```
|
||||
|
||||
When `DJANGO_DEBUG=0`, startup fails fast unless:
|
||||
|
||||
- `DJANGO_SECRET_KEY` is a real non-default value
|
||||
- `DJANGO_ALLOWED_HOSTS` is set
|
||||
- `DJANGO_CSRF_TRUSTED_ORIGINS` is set (for production settings)
|
||||
|
||||
Production settings enable hardened defaults such as:
|
||||
|
||||
- secure cookies
|
||||
- HSTS
|
||||
- security headers
|
||||
- `ManifestStaticFilesStorage` for static asset integrity/versioning
|
||||
|
||||
## Superuser and Auth
|
||||
|
||||
|
||||
Reference in New Issue
Block a user