jwright
c1db5cec86
All JS moved to external /site.js → script-src 'self' with no inline JS, hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny, referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared headers include avoids the location add_header reset footgun. Build-time secret/inline-script/third-party scan gate. SECURITY.md documents posture.
29 lines
1.0 KiB
Docker
29 lines
1.0 KiB
Docker
# syntax=docker/dockerfile:1
|
|
# Multi-stage: Debian build (Node; Chromium deps for Mermaid land in M3) →
|
|
# pinned nginx-unprivileged runtime serving the static dist/.
|
|
|
|
# ---- build stage ----------------------------------------------------------
|
|
FROM node:22-bookworm-slim AS build
|
|
WORKDIR /app
|
|
|
|
# Install deps from the lockfile only first (better layer caching).
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci
|
|
|
|
# Build the static site.
|
|
COPY . .
|
|
RUN npm run build
|
|
|
|
# ---- runtime stage --------------------------------------------------------
|
|
# Same vetted digest used by the k8s Deployment. Renovate keeps it current.
|
|
FROM ghcr.io/nginx/nginx-unprivileged:1.28.0-alpine@sha256:c97ff0bf7cbae369953c6da1232ec14ad9f971d66360c5698db0856a4cd657a0
|
|
|
|
# Custom server config (security headers, caching, routing) + shared headers include.
|
|
COPY nginx/default.conf /etc/nginx/conf.d/default.conf
|
|
COPY nginx/security-headers.conf /etc/nginx/security-headers.conf
|
|
|
|
# The built site.
|
|
COPY --from=build /app/dist /usr/share/nginx/html
|
|
|
|
EXPOSE 8080
|