Running a hobby project on a self-hosted server and wanted a quick sanity check on whether this counts as a reasonable minimum security baseline in 2026.
High-level setup:
- Linux host
- Dockerized services
- Only 80/443 exposed publicly
- Reverse proxy terminating TLS (HTTPS enforced)
- ASP.NET (.NET 10) with built-in Identity + OAuth
- EF Core/ORM only (no raw SQL)
- auto-encoding, no user HTML rendering
- Basic security headers (CSP, HSTS, nosniff, referrer, permissions)
- Host firewall enabled (default deny incoming)
- Regular security updates (OS + container rebuilds, unattended upgrades)
- Rate limiting policies
This isn’t meant to be enterprise-grade, just sensible for a hobby app.
Does this sound like a reasonable baseline?
Any common blind spots people usually miss at this stage (ops, maintenance, or process-wise)?
Top comments (1)
Good baseline for a hobby project — you've covered the perimeter well. The blind spot I see most often at this stage is operational transparency: having a structured audit trail for server-level actions, not just application logs. Most setups log what the app does but not what happened to the server itself — which service restarted and why, what changed between deploys, who accessed what and when. It makes post-incident debugging much harder than it needs to be.
I ran into exactly this before getting Nexus Server App (nexus-server.app) — local-first server management panel for developers and self-hosters. Full audit logging was one of the first features I required because I kept losing track of my own server's state. What actually happened on this machine in the last hour, is a question you'll want to answer quickly someday.