Did you know that ports: "5432:5432" in your docker-compose.yml is exposing your database to the entire internet?
I see this mistake constantly in production environments. Here's what's actually happening:
โ What you think you're doing:
services: postgres: image: postgres:15 ports: - "5432:5432" # "Just making it accessible to my app" ๐ What you're actually doing:
Binding port 5432 to 0.0.0.0:5432 - making your database accessible from ANY IP address that can reach your server.
โ Here's how to fix it:
Option 1: Bind to localhost only
ports: - "127.0.0.1:5432:5432" # Only accessible from the host machine Option 2: Use Docker networks (recommended)
# No ports section needed! services: postgres: image: postgres:15 networks: - app-network web: image: my-app networks: - app-network ports: - "80:3000" # Only expose what users need networks: app-network: ๐ Pro tip: Your application containers can communicate with each other using service names as hostnames within the same network. No port publishing required!
The golden rule: Only publish ports that external clients need to access directly.
Have you caught this security issue in your own Docker setups? Share your Docker security tips in the comments! ๐
Top comments (0)