shad/flowmaster-mission-control-demo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

build: add runtime-only Dockerfile + nginx hardening + allow dist in build context
Some checks are pending
build-and-publish / test (push) Waiting to run
Details
build-and-publish / image (push) Blocked by required conditions
Details

Browse Source 
Runtime-only Dockerfile.runtime copies a pre-built dist/ into the nginx
image; sidesteps the Node-on-emulation libuv crash when building on
Apple Silicon for linux/amd64.

nginx.conf hardened:
- HSTS, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy
- Permissions-Policy locking down camera/microphone/geolocation/payment
- Content-Security-Policy with strict default-src self + connect-src
  scoped to our backend
- COOP / CORP same-origin
- X-Robots-Tag noindex (not a public marketing site)
- server_tokens off

Confidence: high
Scope-risk: narrow
This commit is contained in:
Shad 2026-06-14 03:52:36 +04:00
parent 5d6898ee00
commit 553c681ede
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -1,10 +1,8 @@
node_modules node_modules
dist
qa/screenshots qa/screenshots
.git .git
*.log *.log
.DS_Store .DS_Store
.vscode .vscode
.idea .idea
src/index.css.bak
*.bak* *.bak*

7
Dockerfile.runtime Normal file
View File

@ -0,0 +1,7 @@
FROM nginx:1.27-alpine
COPY dist/ /usr/share/nginx/html/
COPY nginx.conf /etc/nginx/conf.d/default.conf
RUN sed -i '/listen.*80/a\ server_name _;' /etc/nginx/conf.d/default.conf || true
EXPOSE 80
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
CMD wget -q --spider http://127.0.0.1/ || exit 1