Skip to content

docs(deployment): TRUSTED_PROXY_CIDRS and Railway/Render template hardening#13

Merged
DavidBabinec merged 1 commit into
mainfrom
docs/deployment-proxy-and-templates
Jun 10, 2026
Merged

docs(deployment): TRUSTED_PROXY_CIDRS and Railway/Render template hardening#13
DavidBabinec merged 1 commit into
mainfrom
docs/deployment-proxy-and-templates

Conversation

@DavidBabinec

Copy link
Copy Markdown
Contributor

Brings the deployment docs in line with the trusted-proxy support and the one-click template configurations.

  • TRUSTED_PROXY_CIDRS documented everywhere it matters — deployment index, Docker image guide, Railway and Render guides: required when a managed platform terminates HTTPS before forwarding plain HTTP to the container, so CSRF origin checks, login session context, audit IPs, and rate limits use the forwarded public request context. Guides note the broad 0.0.0.0/0,::/0 value is only for managed-ingress platforms; custom reverse proxies should trust their actual proxy CIDRs.
  • Railway: RAILWAY_RUN_UID=0 documented (Railway mounts volumes as root while the image runs as the non-root bun user — without it SQLite/media dirs fail with EACCES); INSTATIC_SECRET_KEY now auto-generates in templates via Railway's secret() variable function so one-click installs need no local key generation; new troubleshooting rows for the EACCES and Forbidden: invalid origin failure modes; refreshed doc links.
  • Render: TRUSTED_PROXY_CIDRS added to both Blueprint render.yaml templates and the guide, with a matching troubleshooting row.

Docs/templates only — no code changes.

🤖 Generated with Claude Code

…plate hardening

- Document TRUSTED_PROXY_CIDRS across the deployment index, Docker image
  guide, and Railway/Render guides: required when a managed platform
  terminates HTTPS before forwarding to the container, so CSRF origin
  checks, session context, audit IPs, and rate limits use the forwarded
  request context.
- Railway: document RAILWAY_RUN_UID=0 (volumes mount as root while the
  image runs as the non-root bun user), auto-generate
  INSTATIC_SECRET_KEY via the template secret() variable function, and
  add troubleshooting rows for EACCES volume errors and forbidden-origin
  login failures.
- Render: set TRUSTED_PROXY_CIDRS in both Blueprint templates and the
  guide, add the matching troubleshooting row, refresh doc links.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@DavidBabinec DavidBabinec merged commit f7e8e05 into main Jun 10, 2026
5 checks passed
@DavidBabinec DavidBabinec deleted the docs/deployment-proxy-and-templates branch June 10, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant