From 2da114286643ef8d0b45b82918f96ee784c8123c Mon Sep 17 00:00:00 2001
From: Mathis HERRIOT <197931332+0x485254@users.noreply.github.com>
Date: Tue, 20 Jan 2026 22:35:42 +0100
Subject: [PATCH] chore(docker): restrict Postgres port exposure to localhost
 in production configuration

---
 docker-compose.prod.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 492d98f..6e40ebf 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -9,6 +9,8 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-app}
     networks:
       - nw_memegoat
+    ports:
+      - "127.0.0.1:5432:5432"    # not exposed to WAN, LAN only for administration checkup
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck: