security hardening

deploy/docker-compose.dev.yml

@@ -6,6 +6,24 @@ services:
     image: linumiq-invoice:dev
     container_name: linumiq-invoice-dev
     restart: unless-stopped
+    # --- Container hardening (DEV) ---------------------------------------
+    # Prevent privilege escalation and drop all Linux capabilities (the app
+    # is a plain Node HTTP server — it needs none).
+    security_opt:
+      - "no-new-privileges:true"
+    cap_drop:
+      - ALL
+    # Read-only root filesystem: the app never writes to the image at runtime
+    # (Prisma client is baked at build; the SQLite DB lives on the /data bind
+    # mount; logo/image caches live in the DB or in-memory). npm/Prisma
+    # incidental writes are redirected to the tmpfs /tmp (see Dockerfile env).
+    read_only: true
+    tmpfs:
+      - /tmp
+    # Resource limits (Compose v2 / docker compose, non-swarm).
+    mem_limit: 512m
+    pids_limit: 256
+    cpus: 1.5
     env_file:
       - .env.dev
     environment: