H1K0
5a05bb86e1
Bind the published port to 127.0.0.1 so the app is reachable only through the host reverse proxy, not on the LAN/WAN — a 0.0.0.0 publish would also bypass ufw/firewalld, since Docker's DNAT rules sit ahead of the host firewall. Split the stack onto two networks with deterministic bridge names: `web` (dk-tanabata) for the public-facing side, and `backend` (dk-tanabata-bnd, internal:true) for the private app↔DB tier. The DB sits only on `backend`, which has no gateway, so it has no route off-host. Document TRUSTED_PROXIES and the loopback publish in .env.example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>