📄 production optimizations

docker-compose.prod.yml

@@ -55,6 +55,14 @@ services:
     volumes:
       - ./data/logs:/app/logs
 
+    # Security options
+    security_opt:
+      - no-new-privileges:true  # Prevent privilege escalation
+    # read_only: true  # Commented - uncomment if you want extra hardening
+    # tmpfs:           # Required if using read_only: true
+    #   - /tmp
+    #   - /app/.next/cache
+
     # Health check configuration
     # Docker monitors the application and marks it unhealthy if checks fail
     # If container is unhealthy, restart policy will trigger a restart
@@ -67,14 +75,14 @@ services:
 
     # Resource limits for production
     # Prevents container from consuming all server resources
-    # deploy:
-    #   resources:
-    #     limits:
-    #       cpus: '1.0'         # Maximum 1 CPU core
-    #       memory: 512M        # Maximum 512MB RAM
-    #     reservations:
-    #       cpus: '0.25'        # Reserve at least 0.25 CPU cores
-    #       memory: 256M        # Reserve at least 256MB RAM
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'         # Maximum 1 CPU core
+          memory: 512M        # Maximum 512MB RAM
+        reservations:
+          cpus: '0.25'        # Reserve at least 0.25 CPU cores
+          memory: 256M        # Reserve at least 256MB RAM
 
     # Network configuration
     networks: