In terms of infrastructure security, we would propose:
- Disable Demo site via DOCREADER_ENABLE_DEMO_WEB_APP="false" Environment Variable to avoid unnecessary worker utilization for serving site content and possible security issues raised by frontend vulnerabilities
- Do not expose service if possible. Access to the backend should be provided only via private tired networking.
- Use HTTPS connection where possible.
- Use firewall and limit incoming connections to apps by Firewalls/SecurtyGroups/Rules for only verified and authorized consumers (VMs/services).
- Use Load Balancer in front. In that case security configuration would be much smoother and more advanced. While it's still possible to terminate ssl connection and configure security specific headers in docreader container, let the service do the job it was created for - process request. The rest should be processed by the load balancer.
- Implement authorization, for example via Nginx and a plugin.