Security Hardening
Use this checklist when DockLog moves from a private lab install to a team-facing environment.
Hardening checklist
Protect the Docker socket
Only mount docker.sock on hosts you control. The container has privileged access to the daemon.
Rotate secrets regularly
Regenerate SECRET_KEY whenever you move the deployment or suspect exposure.
Keep auth mode private
Hide the app behind VPN, SSO, or reverse-proxy auth before opening it wider.
Limit container actions
Enable only the ALLOW_* actions you need, then grant matching can_* flags per user.
Enable production mode
Set ENV=production, generate a unique SECRET_KEY, and keep CLIENT_ACCESS=strict.
Lock down client access
Add trusted origins to ALLOWED_ORIGINS. The web UI sends X-DockLog-Client: web.
Edit or suggest changes on GitHub.