Did you know that ports: "5432:5432" in your docker-compose.yml is exposing your database to the entire internet?
I see this mistake constantly in production environments. Here's what's actually happening:
❌ What you think you're doing:
services:
postgres:
image: postgres:15
ports:
- "5432:5432" # "Just making it accessible to my app"
🌍 What you're actually doing:
Binding port 5432 to 0.0.0.0:5432 - making your database accessible from ANY IP address that can reach your server.
✅ Here's how to fix it:
Option 1: Bind to localhost only
ports:
- "127.0.0.1:5432:5432" # Only accessible from the host machine
Option 2: Use Docker networks (recommended)
# No ports section needed!
services:
postgres:
image: postgres:15
networks:
- app-network
web:
image: my-app
networks:
- app-network
ports:
- "80:3000" # Only expose what users need
networks:
app-network:
🔐 Pro tip: Your application containers can communicate with each other using service names as hostnames within the same network. No port publishing required!
The golden rule: Only publish ports that external clients need to access directly.
Have you caught this security issue in your own Docker setups? Share your Docker security tips in the comments! 👇
Top comments (0)