I'm running a hobby project on a self-hosted server and looking for feedback on whether my current security setup is reasonable for 2026. Here's what I have:
- A Linux host
- Dockerized services
- Only ports 80 and 443 exposed to the public
- A reverse proxy that handles TLS, ensuring HTTPS is enforced
- Using ASP.NET (with .NET 10) that includes built-in Identity and OAuth
- Only relying on EF Core/ORM and avoiding raw SQL
- Implementing auto-encoding with no user HTML rendering
- Setting basic security headers like CSP, HSTS, nosniff, referrer, and permissions
- Host firewall is enabled with a default deny for incoming traffic
- Keeping up with regular security updates for the OS and container rebuilds with unattended upgrades
- Applying rate limiting policies
I'm not aiming for enterprise-level security; just want to ensure this is sensible for a hobby application. Does this security baseline sound good? Also, are there common areas where I might overlook security measures related to operations, maintenance, or processes?
3 Answers
This is a great baseline! Here are a few tweaks you might want to consider:
- Keep rate limits on authentication endpoints to combat credential stuffing — there are packages for that in .NET.
- Use Fail2ban or something similar to automate banning IPs after multiple failed attempts to access sensitive points like SSH.
- Don't forget about regular automated backups and testing your restore process!
- Ensure your Content Security Policy is strict enough; many people get it wrong and leave it open too much.
You've got a solid security foundation for your hobby project! I’d suggest considering a couple of additional measures:
1. Always validate user input — it's critical!
2. Implementing Cloudflare Tunnels could help with DDoS protection, as rate limiting alone might not be enough.
3. If you're sending emails (like for verification or password resets), set up SPF, DKIM, and DMARC DNS records for added security.
It's a decent starting point, but I'd advise against keeping port 80 open. Only 443 should be accessible for security! If you're worried about users typing HTTP, a redirect should happen via a web server that's listening on 80. However, for certain challenges (e.g., Let's Encrypt), you might temporarily need port 80 open for verification, so just keep that in mind.
Good point! Keep in mind that with HTTP-01 challenges, you might need port 80 open. Just look up guidelines from services like Let's Encrypt to clarify when it's needed.
What about remote access? Can I just use a VPN instead and not worry about port 22 being open? Also, if I don’t have port 80 open, do users get an error when they try to access my site without HTTPS?