DOCKERFILE Improvements

[decause-gov]

Issue Report

DOCKERFILE Improvements

Expected behavior

Running as a non-root user helps to avoid security risks; Using Security Headers is a good best practice.

Actual behavior

DOCKERFILE

The Dockerfile is structured in a multi-stage build format which is good for optimizing the
final image size. I'll walk you through each part of the Dockerfile and point out any concerns or
recommendations:

1. Builder Stage (Node.js Build Phase):

• FROM node:18.12.1-alpine as builder: You're using a specific version of Node.js
  with Alpine, which is a lightweight distro. This is a good practice as it minimizes
  the image size and reduces potential attack surfaces.

• COPY package.json yarn.lock ./: Good! You're copying only the necessary files
  for the yarn install command. This takes advantage of Docker's caching
  mechanism and ensures faster builds if no dependencies change.

• Recommendations: Consider using a non-root user even in the builder stage. Running as a non-root
  user is a security best practice.

2. Production Environment (Nginx Server):

• It would be beneficial to use a non-root user to run the Nginx process. By default,
  Nginx will run as root, which is not recommended in a container environment.
• Consider adding security headers in your Nginx configuration for added security.
  Examples include: Strict-Transport-Security, Content-Security-Policy,
  X-Content-Type-Options, X-Frame-Options, etc