From 6aac690dada7504450c3e9ee0d360df1313d1b9d Mon Sep 17 00:00:00 2001
From: botre <git@bjornkrols.com>
Date: Tue, 26 May 2026 15:12:09 +0200
Subject: [PATCH] Run container as non-root user

Add a dedicated httphq user (UID/GID 1001) in the runner stage so the
image can be deployed under a restricted Kubernetes PodSecurity policy
(runAsNonRoot: true). /app is chowned to the new user so SQLite can
still write local.db relative to WORKDIR.
---
 Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index f405dc7..4b6e67f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,12 @@ COPY --from=builder /usr/src/app/bin/httphq ./bin/httphq
 COPY ./public ./public
 COPY ./src/views ./src/views
 
+RUN addgroup -S -g 1001 httphq \
+ && adduser  -S -u 1001 -G httphq httphq \
+ && chown -R httphq:httphq /app
+
+USER httphq
+
 ENV APPLICATION_ENV=production
 
 EXPOSE 8080