Security

↓ Download .md

Security

How PodCubo protects your applications and data.

Rootless Containers

PodCubo uses Podman in rootless mode. This means:

Every container runs without root access to the operating system
Even if an attacker compromises your container, they don't have access to the host
More secure than traditional Docker, which runs with root privileges

Stack Isolation

Each stack is an isolated pod — all containers share the same network via localhost:

Apps and databases within the same stack communicate via localhost on their respective ports
Apps from different stacks cannot see each other
Databases are not accessible from the internet — only by apps in the same pod

Automatic SSL/TLS

All external communication is encrypted:

Let's Encrypt certificates managed automatically
Automatic renewal before expiration
HTTPS on all domains (automatic and custom)
Internal traffic between Cloudflare and PodCubo is also encrypted

DDoS Protection

All traffic goes through Cloudflare, which provides:

Automatic DDoS protection
Rate limiting
Web Application Firewall (WAF)
Static content caching

systemd

PodCubo uses Linux systemd to manage containers:

Each app is an isolated systemd service
Auto-restart on failure
Logs integrated with journald
Lifecycle management by the operating system

Best Practices

Environment Variables

Never put secrets in source code
Use environment variables for credentials, API keys, and tokens
Variables are injected at container runtime, not during build

Dockerfile

Use official and updated images
Minimize the number of layers
Don't copy unnecessary files (use .dockerignore)
Run your application as a non-root user when possible

# Example: run as non-root
FROM node:20-alpine
RUN addgroup -S app && adduser -S app -G app
USER app
WORKDIR /app
COPY --chown=app:app . .
CMD ["node", "index.js"]

Databases

Use strong passwords (auto-generated credentials already are)
Configure automatic backups
Don't expose the database directly to the internet unless necessary

← PreviousBilling