Docker makes deployment easy, but a careless setup can expose your host. Here are the key steps to run containers securely in production.

1. Don't expose the Docker API

Never bind the Docker daemon to a public TCP port without TLS — it's effectively root access to your host. Use the local socket, and access remote hosts over SSH.

2. Don't publish ports you don't need

A container's ports are only reachable if you -p publish them. Keep databases and internal services on the Docker network, and only publish your web port. Remember: published container ports can bypass UFW, so bind sensitive ports to 127.0.0.1.

3. Run as a non-root user

Use the USER directive in your Dockerfile so the process inside the container isn't root.

4. Use trusted, pinned images

image: postgres:16.4     # pin versions, avoid ':latest' in prod

Pull from official or verified sources and scan images for vulnerabilities.

5. Keep Docker and images updated

Rebuild regularly to pick up base-image security fixes. Combine these habits with the standard VPS hardening steps and your containerised stack will be solid.