Deployment — Docker container with production hardening

## Overview
Package and deploy TimeKeep as a Docker container on a public server with proper security.

## Tasks

### Docker
- [ ] `Dockerfile` — multi-stage build (Node build for React, then lean production image)
- [ ] `docker-compose.yml` — container definition, volume mount for DB, env vars
- [ ] `.dockerignore` — exclude node_modules, .env, dev files

### Production hardening
- [ ] Move `JWT_SECRET` to a proper secret (env var, never hardcoded)
- [ ] Change default `admin` / `admin123` credentials on first run (force password change)
- [ ] HTTPS via reverse proxy (nginx or Caddy) with Let's Encrypt cert
- [ ] Set `NODE_ENV=production`, disable verbose error output to client
- [ ] Rate limiting on `/api/auth/login` to prevent brute force
- [ ] Helmet.js for HTTP security headers

### DB & backups in production
- [ ] DB volume mounted outside container so it survives container restarts/updates
- [ ] Update backup script to handle Docker volume path

### Misc
- [ ] Environment-specific config (dev vs prod)
- [ ] Health check endpoint (`GET /api/health`)

## Notes
- Current stack (Node/Express + SQLite + React/Vite) is well-suited for a single-container deployment
- Caddy is a good choice for reverse proxy — automatic HTTPS with zero config

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deployment — Docker container with production hardening #6

Overview

Tasks

Docker

Production hardening

DB & backups in production

Misc

Notes

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Deployment — Docker container with production hardening #6

Description

Overview

Tasks

Docker

Production hardening

DB & backups in production

Misc

Notes

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions