Hardening Umami on Railway: Close the Public DB and Add Security Headers

Guide overview

Railway's one click Umami deployment is convenient but ships with two significant security gaps: PostgreSQL and Valkey are assigned public TCP addresses by default, and Umami's Next.js app sends no security headers. This guide closes both gaps using Railway's private networking and Umami's next.config.js headers API — no third party proxies required.