One of the biggest security concerns isn't listed which is to avoid doing 8000:8000 style port publishing because it'll open your service up to the world on most cloud providers unless you explicitly block that port using a cloud-level firewall. If you're hosting on a place like DigitalOcean you could very easily not be using their external cloud firewall.
Even if you use a cloud firewall it's worth avoiding 8000:8000 for the sake of being explicit with your intentions.
The reason you'd want to avoid that is because you'll probably have your services reverse proxied by nginx, in which case only 80/443 need to be published because the internet will be hitting nginx, not your internal service at example.com:8000 or whatever port it's running on.
This topic and many other security gotchas / best practices were in my DockerCon talk from a few months ago at: https://nickjanetakis.com/blog/best-practices-around-product..., it goes over patterns how you can use a more restrictive and secure 127.0.0.1:8000:8000 value in prod but still use 8000:8000 in dev so you can check it on multiple devices on your local network, all with the same docker-compose.yml file.
Thank you for the article "Best Practices Around Production Ready Web Apps with Docker Compose". I've been referring to it since seeing the original HN submission [0]. Something like Kubernetes was overkill for my needs, especially since Docker Compose is already a part of my development workflow.
Even if you use a cloud firewall it's worth avoiding 8000:8000 for the sake of being explicit with your intentions.
The reason you'd want to avoid that is because you'll probably have your services reverse proxied by nginx, in which case only 80/443 need to be published because the internet will be hitting nginx, not your internal service at example.com:8000 or whatever port it's running on.
This topic and many other security gotchas / best practices were in my DockerCon talk from a few months ago at: https://nickjanetakis.com/blog/best-practices-around-product..., it goes over patterns how you can use a more restrictive and secure 127.0.0.1:8000:8000 value in prod but still use 8000:8000 in dev so you can check it on multiple devices on your local network, all with the same docker-compose.yml file.