Deployment & Infrastructure Operations
Understanding the packaging pipelines, host isolation mechanisms, secure networking boundaries, and cookie controls running in the production environment.
1. Multi-Stage Containerization
To optimize deployment speed and security boundaries, both codebases utilize advanced multi-stage Docker builds:
- Frontend Standalone Build: The Next.js runner copies only the pre-compiled `.next/standalone` node assets. This slices the runtime container footprint from over 1.2GB down to approximately 140MB, improving server memory utilization.
- Backend Dependency Caching: The Rust compiler caches crates registry indexing during build stages. The actual source code compilation runs on top of pre-compiled cache layers, shrinking deploy pipeline times.
2. Sandbox Host Isolation
Enforcing privilege limitation is critical to protect the host machine from container breakout exploits:
- Non-Root Execution: Frontend processes run under an unprivileged `nextjs` system user, while the Rust backend server runs under the `axiom` shell execution user. No container process runs with root privileges.
- Distroless Slim Runners: The Rust production runner runs inside a minimal `debian:bookworm-slim` base, eliminating unnecessary tools, package managers, and binaries. This reduces the container attack surface.
Network Headers & State Policies
Strict HTTP Headers
The Next.js reverse proxy automatically injects security headers to defend the client space. Frame embedding is blocked with `X-Frame-Options: DENY` to stop clickjacking, content sniffing is restricted with `X-Content-Type-Options: nosniff`, and Referrer-Policy enforces strict origin limits.
Secure Cookie Parameters
Sessions are maintained using JSON Web Tokens transmitted inside HttpOnly cookies. This blocks client-side JavaScript from accessing session data, protecting against XSS exploits. SameSite=Strict cookies protect the platform from Cross-Site Request Forgery (CSRF) vectors.
WebAuthn Relying Party ID Constraints
To prevent credential replay and machine-in-the-middle authentication relays on biometrics, the WebAuthn API enforces relying party checks. Handshake parameters are statically bound to the Relying Party ID (rpId: "hub.unggulaxiom.com"). The browser validates that the active origin matches this signature registry before allowing Face ID or fingerprint checks to release credential assertions.