Fix Dockerfile EXPOSE comment, CSP link, and blocklist references

dahlia · dahlia · commit 0d659d066028 · 2026-04-20T16:26:42.000+09:00
Add a comment before EXPOSE in both Dockerfiles noting that readers should change the port to match their app. Update the Content-Security-Policy MDN link from the old URL (docs/Web/HTTP/CSP) to the current redirect target (docs/Web/HTTP/Guides/CSP). Replace the oliphant/blocklists reference, which is retired, with Pelago and FIRE, which the project now recommends as replacements. Suggested by 2chanhaeng in #697 (comment) #697 (comment) #697 (comment) Assisted-by: Claude Code:claude-sonnet-4-6[2m]
diff --git a/.hongdown.toml b/.hongdown.toml
@@ -53,6 +53,7 @@ proper_nouns = [
   "Encyclia",
   "ESLint",
   "Express",
+  "FIRES",
   "h3",
   "Hackers' Pub",
   "Hollo",
diff --git a/docs/manual/deploy.md b/docs/manual/deploy.md
@@ -494,6 +494,7 @@ COPY . .
 # the official node images.
 USER node
 
+# Change this to the port number your Fedify app uses.
 EXPOSE 3000
 CMD ["pnpm", "run", "start"]
 ~~~~
@@ -514,6 +515,7 @@ COPY . .
 RUN deno task build
 
 USER deno
+# Change this to the port number your Fedify app uses.
 EXPOSE 8000
 CMD ["deno", "task", "start"]
 ~~~~
@@ -1082,7 +1084,7 @@ than a compromise.  At minimum, forbid inline scripts
 > hijacked.  Sanitize every post, every summary, every actor bio, from
 > every server, always.
 
-[strong Content-Security-Policy]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+[strong Content-Security-Policy]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
 
 ### Server-side request forgery (SSRF)
 
@@ -1208,16 +1210,17 @@ Block abusive instances early
 :   Apply domain-level blocklists at the inbox listener so that incoming
     activities from known-abusive instances are rejected before you spend
     time parsing them.  The fediverse maintains several community blocklists
-    ([oliphant/blocklists] is one starting point); curate your own rather
-    than importing them wholesale.
+    ([Pelago] and [FIRES] are community-maintained starting points); curate
+    your own rather than importing them wholesale.
 
 Keep the system clock in sync
 :   HTTP signatures are valid only within `~FederationOptions.signatureTimeWindow`
     (one hour by default).  Run NTP on every web and worker node.  Clock
     drift is the second-most-common “it worked in staging” production
     issue after reverse-proxy misconfiguration.
 
-[oliphant/blocklists]: https://codeberg.org/oliphant/blocklists
+[Pelago]: https://pelago.1sland.social/blocklist
+[FIRES]: https://fires.fedimod.org/
 
 
 Observability in production
