Harden app for production behind nginx Proxy Manager.

Remove path-based import, add rate limits and upload caps, security headers, proxy trust, bundled Chart.js, non-root Docker, and NPM deployment docs. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-19 16:23:27 +02:00
parent f2c564e69a
commit 58b9e0bb0a
8 changed files with 232 additions and 45 deletions
@@ -1,13 +1,26 @@
 services:
  viewer:
    build: .
-    ports:
-      - "5000:5000"
+    expose:
+      - "5000"
    environment:
      DATA_DIR: /data
+      TRUST_PROXY: "1"
+      DISABLE_LOCAL_VIEWER: "1"
+      PREFERRED_URL_SCHEME: https
+      MAX_UPLOAD_MB: "10"
+      RATE_LIMIT_VIEWER_CREATE: "5 per minute"
+      RATE_LIMIT_IMPORT: "20 per hour"
    volumes:
      - viewer-data:/data
    restart: unless-stopped
+    # Attach to your nginx Proxy Manager network (uncomment and set name):
+    # networks:
+    #   - npm

 volumes:
  viewer-data:
+
+# networks:
+#   npm:
+#     external: true