Harden websocket server against abuse

2026-05-08 13:13:13 -04:00
parent 88688c8f84
commit c26a833eda
5 changed files with 451 additions and 57 deletions
--- a/compose.yaml
+++ b/compose.yaml
@@ -5,7 +5,18 @@ services:
    image: tictactics:local
    container_name: tictactics
    restart: unless-stopped
+    read_only: true
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 128
    environment:
      APP_PORT: ${APP_PORT:-8787}
+      ALLOWED_ORIGINS: ${ALLOWED_ORIGINS:-}
+      MAX_CLIENTS: ${MAX_CLIENTS:-200}
+      MAX_CLIENTS_PER_IP: ${MAX_CLIENTS_PER_IP:-12}
+      MAX_MESSAGES_PER_WINDOW: ${MAX_MESSAGES_PER_WINDOW:-40}
+      TRUST_PROXY: ${TRUST_PROXY:-false}
    ports:
      - "${APP_PORT:-8787}:${APP_PORT:-8787}"