From fe981e05bc6b520983e1765a1fce8c7608f79944 Mon Sep 17 00:00:00 2001
From: BeauTroll <->
Date: Mon, 22 Dec 2025 19:45:09 +0100
Subject: [PATCH] Harden Uptime Kuma Docker configuration with security best
 practices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Switch to rootless image (2.0.2-rootless) for non-root execution
- Add security hardening: no-new-privileges and drop all capabilities
- Fix router name bug (traefik-dashboardraefik-dashboard → uptime-kuma)
- Add security headers middleware (XSS, frame options, content-type)
- Implement healthcheck for container monitoring
- Configure log rotation (10M max, 3 files)
- Set resource limits (512M RAM, 0.5 CPU)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 docker-compose.yml | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0cd6469..46e099e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,18 +1,46 @@
 services:
   uptime-kuma:
-    image: louislam/uptime-kuma:latest
+    image: louislam/uptime-kuma:2.0.2-rootless
     container_name: uptime-kuma
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     networks:
-     - traefik-net
+      - traefik-net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.traefik-dashboardraefik-dashboard.rule=Host(`${DOMAIN}`)"
-      - "traefik.http.routers.traefik-dashboardraefik-dashboard.entrypoints=websecure"
-      - "traefik.http.routers.traefik-dashboardraefik-dashboard.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.uptime-kuma.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
+      - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
       - "traefik.http.services.uptime-backend.loadbalancer.server.port=3001"
+      - "traefik.http.middlewares.uptime-security.headers.customFrameOptionsValue=SAMEORIGIN"
+      - "traefik.http.middlewares.uptime-security.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.uptime-security.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.uptime-security.headers.referrerPolicy=strict-origin-when-cross-origin"
+      - "traefik.http.routers.uptime-kuma.middlewares=uptime-security"
     volumes:
       - ./data:/app/data
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:3001 || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    deploy:
+      resources:
+        limits:
+          cpus: "0.5"
+          memory: 512M
+        reservations:
+          cpus: "0.25"
+          memory: 256M
 
 networks:
   traefik-net: