Running a hobby project on a self-hosted server and wanted a quick sanity check on whether this counts as a reasonable minimum security baseline in 2026.
High-level setup:
- Linux host
- Dockerized services
- Only 80/443 exposed publicly
- Reverse proxy terminating TLS (HTTPS enforced)
- ASP.NET (.NET 10) with built-in Identity + OAuth
- EF Core/ORM only (no raw SQL)
- auto-encoding, no user HTML rendering
- Basic security headers (CSP, HSTS, nosniff, referrer, permissions)
- Host firewall enabled (default deny incoming)
- Regular security updates (OS + container rebuilds, unattended upgrades)
- Rate limiting policies
This isn’t meant to be enterprise-grade, just sensible for a hobby app.
Does this sound like a reasonable baseline?
Any common blind spots people usually miss at this stage (ops, maintenance, or process-wise)?
Top comments (0)