Address Docker security and best practices from PR review

[Copilot]

Pull Requests Review Criteria

Caution

PRs that fail to meet these review standards will be automatically flagged and may be rejected by maintainers.

• Filled out this PR template properly
• Did not commit directly to main
• Limited commits (max 3–4 unless permitted by Admin/Mentors)
• Added comments in complex parts of code

Closes: #472

Describe the add-ons or changes you've made 📃

Implements security hardening and Docker best practices based on code review feedback for the Docker setup PR.

Security

• Environment variables for mongo-express credentials (default changeme instead of hardcoded admin123)
• Include package-lock.json in Docker images for deterministic builds and vulnerability tracking
• Add Referrer-Policy header to nginx configuration
• Document MONGO_EXPRESS_USER and MONGO_EXPRESS_PASSWORD in server/.env.example

Docker Best Practices

• MongoDB 7-noble instead of 8.2.2-noble (better stability, tested version)
• Health checks for mongo and server services with proper dependency conditions
• Named volume client_node_modules instead of anonymous volume
• Modern npm syntax: --omit=dev replaces deprecated --only=production

Configuration

• Remove VITE_SERVER_DOMAIN environment override from docker-compose (relies on .env file)
• Comprehensive .dockerignore patterns: docker-compose*.{yml,yaml}
• Fix DOCKER.md commands to reference docker-compose.yaml instead of non-existent docker-compose.fullstack.yaml

Example health check implementation:

mongo:
  image: mongo:7-noble
  healthcheck:
    test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
    interval: 10s
    timeout: 5s
    retries: 5
    start_period: 10s

server:
  depends_on:
    mongo:
      condition: service_healthy  # Waits for healthy mongo
  healthcheck:
    test: ["CMD", "wget", "--spider", "http://localhost:8000/monitor/health"]

Deferred: CORS configuration changes in server.js per maintainer request.

Screenshots 📷

Not applicable - configuration and documentation changes only.

Note to reviewers (Optional) 📄

All review comments from the original Docker setup PR have been addressed except for CORS configuration changes which were deferred per maintainer request.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
code-a2z	Ready	Preview	Comment	Nov 20, 2025 4:26pm
code-a2z-server	Ready	Preview	Comment	Nov 20, 2025 4:26pm

[github-actions]

Thank you for submitting your pull request! We'll review it as soon as possible. For further communication, join our discord server https://discord.gg/tSqtvHUJzE.

[Avdhesh-Varshney]

@copilot But you have not update the .env.example file with MONGO_EXPRESS_USER & MONGO_EXPRESS_PASSWORD?

[Copilot]

@copilot But you have not update the .env.example file with MONGO_EXPRESS_USER & MONGO_EXPRESS_PASSWORD?

You're right! I've added the MONGO_EXPRESS_USER and MONGO_EXPRESS_PASSWORD variables to server/.env.example in commit c965989. These variables are now documented with default values (admin/changeme) for the mongo-express service used in Docker.

[Avdhesh-Varshney]

LGTM 🎉