From 7c98c62d608fe74a33d1d8c82581d98c445a02be Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Mon, 8 Dec 2025 19:35:10 +0530
Subject: [PATCH] [Security] Fix HIGH vulnerability:
 yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service
 (#1005)

Co-authored-by: orbisai0security <orbisai0security@users.noreply.github.com>
Co-authored-by: houseme <housemecn@gmail.com>
---
 docker-compose.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 987e05d8..97178bfc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -196,6 +196,8 @@ services:
 
   # NGINX reverse proxy (optional)
   nginx:
+    security_opt:
+      - "no-new-privileges:true"
     image: nginx:alpine
     container_name: nginx-proxy
     ports:
@@ -204,9 +206,14 @@ services:
     volumes:
       - ./.docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./.docker/nginx/ssl:/etc/nginx/ssl:ro
+    tmpfs:
+      - /var/run
+      - /var/cache/nginx
+      - /var/log/nginx
     networks:
       - rustfs-network
     restart: unless-stopped
+    read_only: true
     profiles:
       - proxy
     depends_on: