Harden security controls from REPORT findings
This commit is contained in:
@@ -6,9 +6,9 @@ DMS runs as a multi-service application defined in `docker-compose.yml`:
|
||||
- `frontend` serves the React UI on port `5173`
|
||||
- `api` serves FastAPI on port `8000`
|
||||
- `worker` executes asynchronous extraction and indexing jobs
|
||||
- `db` provides PostgreSQL persistence on port `5432`
|
||||
- `redis` backs queueing on port `6379`
|
||||
- `typesense` stores search index and vector-adjacent metadata on port `8108`
|
||||
- `db` provides PostgreSQL persistence on the internal compose network
|
||||
- `redis` backs queueing on the internal compose network
|
||||
- `typesense` stores search index and vector-adjacent metadata on the internal compose network
|
||||
|
||||
## Backend Architecture
|
||||
|
||||
@@ -64,3 +64,8 @@ Persistent data:
|
||||
Transient runtime state:
|
||||
- Redis queues processing tasks and worker execution state
|
||||
- frontend local component state drives active filters, selection, and modal flows
|
||||
|
||||
Security-sensitive runtime behavior:
|
||||
- Redis connection URLs are validated by backend queue helpers with environment-aware auth and TLS policy enforcement.
|
||||
- Inline preview is limited to safe MIME types and script-capable content is served as attachment-only.
|
||||
- Archive fan-out processing propagates root and depth lineage metadata and enforces depth and per-root descendant caps.
|
||||
|
||||
Reference in New Issue
Block a user