security: round 3 hardening (CSRF double-submit, TRX MITM, container hardening)

docker-compose.yml

@@ -5,14 +5,29 @@ services:
       dockerfile: Dockerfile
     container_name: cryptowallet-api
     restart: unless-stopped
+    # Bind to loopback only — TLS termination + WAF на reverse proxy (Caddy/Nginx).
+    # Если нужно direct exposure для dev — поменяй на "3001:3001" локально.
     ports:
-      - "3001:3001"
+      - "127.0.0.1:3001:3001"
     env_file:
       - .env
     environment:
       API_PORT: "3001"
+    volumes:
+      - ./logs:/app/logs
+    # Container hardening — post-RCE blast radius minimization
+    read_only: true
+    tmpfs:
+      - /tmp
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 256
+    mem_limit: 512m
+    cpus: "1.0"
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3001/api/health"]
+      test: ["CMD", "wget", "-qO-", "--tries=1", "--timeout=3", "http://localhost:3001/api/health"]
       interval: 10s
       timeout: 5s
       retries: 5