Select your stack, then choose a security level: Bad shows annotated worst-practice configs (with multiple real examples), Good covers the bare minimum, Better is production-ready, and Strictest is for compliance workloads. See exactly what changes - and why.
Not used in Bad or Good configs - limits are added in Better.
| Feature | ⚠ Bad | ✓ Good | ◆ Better | ★ Strictest |
|---|---|---|---|---|
| Pinned image versions | ✕ | ✓ | ✓ | ✓ |
Secrets via .env file | ✕ inline | ✓ | ✓ | ✓ |
| Named volumes | ✕ | ✓ | ✓ | ✓ |
| Restart policy | ✕ | ✓ | ✓ | ✓ |
| DB not exposed on host port | ✕ | ✓ | ✓ | ✓ |
| Network isolation | ✕ flat | ✓ separate | ✓ + internal | ✓ + internal |
| Health checks | ✕ | ✓ basic | ✓ app response | ✓ app response |
| Log rotation | ✕ | ✓ | ✓ | ✓ |
| Resource limits (CPU + memory) | ✕ | ✕ | ✓ | ✓ |
| Linux capability drop | ✕ | ✕ | ✓ | ✓ |
| PID limit | ✕ | ✕ | ✓ | ✓ |
| Read-only filesystem | ✕ | ✕ | ✕ | ★ |
| Non-root user | ✕ | ✕ | ✕ | ★ |
| no-new-privileges | ✕ | ✕ | ✕ | ★ |
vmfarms runs dedicated Docker Swarm clusters with automated Trivy and Wazuh security scanning, 24/7 AI-powered incident response, and Canadian data residency - starting at bare-metal pricing.