- SecurityHeaders: X-Frame-Options, CSP, HSTS, X-XSS-Protection, etc. - RateLimiter: in-memory sliding window, 100 req/min per IP - ValidateSlug: alphanumeric + hyphens, 3-100 chars - SanitizeSearchQuery: strips injection-prone characters - REDIS_URL env var passthrough in docker-compose for future caching Co-Authored-By: Paperclip <noreply@paperclip.ing>
35 lines
745 B
YAML
35 lines
745 B
YAML
services:
|
|
hatch:
|
|
build: .
|
|
restart: unless-stopped
|
|
ports:
|
|
- "127.0.0.1:8080:8080"
|
|
volumes:
|
|
- hatch-data:/data
|
|
environment:
|
|
- HATCH_PORT=8080
|
|
- HATCH_DB_PATH=/data/hatch.db
|
|
- HATCH_BASE_URL=${HATCH_BASE_URL:-http://localhost}
|
|
- REDIS_URL=${REDIS_URL:-}
|
|
|
|
caddy:
|
|
image: caddy:2-alpine
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- caddy-data:/data
|
|
- caddy-config:/config
|
|
environment:
|
|
- HATCH_HOSTNAME=${HATCH_HOSTNAME:-localhost}
|
|
# Caddy runs even without a real hostname (self-signed)
|
|
profiles:
|
|
- with-caddy
|
|
|
|
volumes:
|
|
hatch-data:
|
|
caddy-data:
|
|
caddy-config:
|