The Hardening Checklist

Least Privilege, Flag by Flag

This single command embodies most of container security:

$ docker run -d --name payments -p 8090:80 \
    --cap-drop ALL \
    --cap-add CHOWN --cap-add SETGID --cap-add SETUID \
    --cap-add NET_BIND_SERVICE \
    --security-opt no-new-privileges:true \
    --read-only \
    --tmpfs /var/cache/nginx --tmpfs /var/run \
    --memory 256m --pids-limit 100 \
    nginx:alpine
FlagDefends against
--cap-drop ALL + selective --cap-addkernel-capability abuse (start from zero, add only what's needed)
no-new-privilegesprivilege escalation via setuid binaries
--read-only + --tmpfs for scratch dirsmalware persistence, tampering with the app
--memory / --pids-limitresource-exhaustion DoS, fork bombs
USER app in the Dockerfileeverything root can do that the app shouldn't

Beyond docker run:

Goal: The Harden the Container lab is a security-audit remediation: you inherit a --privileged, socket-mounted nginx and must recreate it with the full checklist above - while keeping the site serving. That's the real job.