Harden production security: Dockerfile build, nginx whitelist, and CSP.

Replace Dokploy runtime git clone with Dockerfile build to keep tokens out of the container, add nginx security headers and path whitelist, and scrub templates from the running image after HTML generation.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
2026-06-27 16:58:27 +02:00
parent e22c26798b
commit f4775366ef
9 changed files with 116 additions and 57 deletions
+30
View File
@@ -0,0 +1,30 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 15;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}