- Never commit
.envfiles containing sensitive data - Use strong passwords for database and services
- Change default credentials before deployment
- Set
APP_ENV=productionin production environments
- Services bind to
127.0.0.1in production - Use the production compose file:
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d - Implement reverse proxy (nginx, cloudflare) for public access
- Use SSL/TLS certificates for HTTPS
- Change default MariaDB root password
- Create application-specific database users
- Enable slow query logging to detect suspicious activity
- Regular backups with encryption
- Disable remote root login in production
- Disable PHP error display in production (
PHP_DISPLAY_ERRORS=0) - Enable error logging (
PHP_LOG_ERRORS=1) - Hide PHP version (
PHP_EXPOSE_PHP=0) - Use latest PHP versions when possible
- Configure OPcache properly for production
- Hide server version (
server_tokens off) - Implement rate limiting
- Security headers (HSTS, XSS Protection, etc.)
- Deny access to sensitive files (.env, .git, etc.)
- Regular security updates
# Recommended permissions
chmod 755 projects/ db/ logs/ etc/
chmod 644 etc/nginx/*.conf
chmod 600 etc/ssl/*.key
chmod 644 etc/ssl/*.crt
chmod 600 .env- Run containers as non-root users when possible
- Use read-only file systems where applicable
- Resource limits to prevent DoS
- Regular image updates
- Security scanning with tools like Trivy
- Enable and monitor access logs
- Set up log rotation
- Monitor for suspicious patterns
- Use centralized logging (ELK stack, etc.)
- Regular security audits
- Encrypt backup files
- Store backups in secure locations
- Test backup restoration procedures
- Implement backup retention policies
- Use separate configurations for dev/prod
- Never use development tools in production
- Disable debug modes in production
- Use different SSL certificates
- Updated all default passwords
- Configured
.envwith production values - SSL certificates installed and configured
- Security headers implemented
- Rate limiting configured
- File permissions set correctly
- Debug modes disabled
- Security scanning completed
- Backup strategy implemented
- Monitoring configured
- Update Docker images monthly
- Review access logs weekly
- Test backups monthly
- Security patch updates
- SSL certificate renewal
- Password rotation (quarterly)
- Trivy: Container vulnerability scanning
- OWASP ZAP: Web application security testing
- Fail2ban: Intrusion prevention
- Lynis: System security auditing
- ClamAV: Antivirus scanning
# Scan images for vulnerabilities
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy image webstack-php84
# Check container security
docker run --rm -it --name docker-bench-security \
--pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro -v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro -v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro -v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security-
Immediate Actions:
- Stop affected containers:
docker-compose stop - Preserve logs for forensics
- Change all passwords
- Revoke API keys/tokens
- Stop affected containers:
-
Investigation:
- Review access logs
- Check for unauthorized changes
- Identify attack vectors
- Document timeline
-
Recovery:
- Restore from clean backups
- Apply security patches
- Update security configurations
- Monitor for continued threats
-
Prevention:
- Update security measures
- Staff security training
- Review and update procedures
- GDPR compliance for EU users
- Data encryption at rest and in transit
- User consent management
- Data retention policies
- Right to deletion procedures
- OWASP Top 10 compliance
- CIS Docker Benchmark
- NIST Cybersecurity Framework
- ISO 27001 principles