How to Implement Playwright Docker Security Recommendations on Render Platform?

Hello,

I have launched a Spring Boot application containing the Playwright library on the Render service using Docker, in which I install Chromium, etc. Everything works well. However, after reading the Playwright documentation, I have some concerns about security. https://playwright.dev/docs/docker

In this article, there’s a section that states:

On untrusted websites, it’s recommended to use a separate user for launching the browsers in combination with the seccomp profile. Inside the container or if you are using the Docker image as a base image you have to use adduser for it.

docker run -it --rm --ipc=host --user pwuser --security-opt seccomp=seccomp_profile.json mcr.microsoft.com/playwright:v1.47.1-noble /bin/bash

seccomp_profile.json is needed to run Chromium with sandbox.

Using --ipc=host is recommended when using Chrome (Docker docs). Chrome can run out of memory without this flag.

In the Dockerfile, I added a new user, but my main problem is that, as far as I know, it is not possible to pass parameters to the docker run command on Render. Is there any other way I can implement these recommendations from the documentation? What default parameters does Render use when executing the docker run command?

You are correct that you cannot add/modify/invoke unique docker parameters for services on Render.

If the concern is that you need Chrome evaluation separate from the rest of your application, you should probably make your Spring Boot service separate from a dedicated Private Service, or Background Worker, running the Chrome scrapping/evaluating process. All instances on Render are containerized, sandboxed, and separate from everything else.