docs(deployment): TRUSTED_PROXY_CIDRS and Railway/Render template hardening#13
Merged
Merged
Conversation
…plate hardening - Document TRUSTED_PROXY_CIDRS across the deployment index, Docker image guide, and Railway/Render guides: required when a managed platform terminates HTTPS before forwarding to the container, so CSRF origin checks, session context, audit IPs, and rate limits use the forwarded request context. - Railway: document RAILWAY_RUN_UID=0 (volumes mount as root while the image runs as the non-root bun user), auto-generate INSTATIC_SECRET_KEY via the template secret() variable function, and add troubleshooting rows for EACCES volume errors and forbidden-origin login failures. - Render: set TRUSTED_PROXY_CIDRS in both Blueprint templates and the guide, add the matching troubleshooting row, refresh doc links. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings the deployment docs in line with the trusted-proxy support and the one-click template configurations.
TRUSTED_PROXY_CIDRSdocumented everywhere it matters — deployment index, Docker image guide, Railway and Render guides: required when a managed platform terminates HTTPS before forwarding plain HTTP to the container, so CSRF origin checks, login session context, audit IPs, and rate limits use the forwarded public request context. Guides note the broad0.0.0.0/0,::/0value is only for managed-ingress platforms; custom reverse proxies should trust their actual proxy CIDRs.RAILWAY_RUN_UID=0documented (Railway mounts volumes as root while the image runs as the non-rootbunuser — without it SQLite/media dirs fail withEACCES);INSTATIC_SECRET_KEYnow auto-generates in templates via Railway'ssecret()variable function so one-click installs need no local key generation; new troubleshooting rows for theEACCESandForbidden: invalid originfailure modes; refreshed doc links.TRUSTED_PROXY_CIDRSadded to both Blueprintrender.yamltemplates and the guide, with a matching troubleshooting row.Docs/templates only — no code changes.
🤖 Generated with Claude Code