From 79120681de7901e18af1f76d988a7b1cb358cce0 Mon Sep 17 00:00:00 2001
From: Aaron Aronchick <aronchick@gmail.com>
Date: Sun, 22 Feb 2026 03:53:28 +0000
Subject: [PATCH] security: bind redis and postgres ports to localhost only

Prevents external access to Redis (6379) and Postgres (5432).
Both services are internal-only - containers communicate via
Docker network, host port binding only needed for local debugging.

Flagged by DigitalOcean security scan 2026-02-22.
---
 compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/compose.yml b/compose.yml
index 85930802..9f3bbd62 100644
--- a/compose.yml
+++ b/compose.yml
@@ -10,7 +10,7 @@ services:
     volumes:
       - postgres_data:/var/lib/postgresql/data
     ports:
-      - "${POSTGRES_PORT:-5432}:5432"
+      - "127.0.0.1:${POSTGRES_PORT:-5432}:5432"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
       interval: 5s
@@ -20,7 +20,7 @@ services:
   redis:
     image: redis:7-alpine
     ports:
-      - "${REDIS_PORT:-6379}:6379"
+      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
 
   backend:
     build: