Back to Blog
team@tinypod.app

Securing Your Self-Hosted Applications: A Complete Checklist

Self-hosting means self-securing. Follow this checklist to protect your applications from common attack vectors.

securityhardeningbest-practices

Security Is Your Responsibility


When you self-host, there's no security team at the SaaS company protecting your data. That sounds scary, but it's actually empowering — you have full control over your security posture.


Network Security


Use HTTPS Everywhere

Every application should be behind HTTPS. No exceptions. Use automatic SSL from Let's Encrypt.


Minimize Exposed Ports

Only expose ports that need to be public (typically 80 and 443). Databases, Redis, and internal services should never be accessible from the internet.


Use a Firewall

Configure iptables or ufw to block all incoming traffic except SSH (22), HTTP (80), and HTTPS (443).


Change Default SSH Port

Moving SSH from port 22 to a random high port reduces automated scan attempts by 99%.


Authentication


Use Strong Passwords

Every self-hosted application should have a strong, unique admin password. Use a password manager.


Enable Two-Factor Authentication

If the application supports 2FA, enable it. Especially for admin accounts.


Disable Default Accounts

Many applications ship with default admin credentials. Change or disable them immediately after installation.


Use SSO When Possible

If you have multiple self-hosted apps, use a self-hosted identity provider (Authentik, Keycloak) for single sign-on.


Updates


Keep Applications Updated

Subscribe to release notifications for your self-hosted apps. Apply updates promptly — they often include security patches.


Automate Updates When Safe

For non-critical applications, enable auto-updates. For critical ones, test updates in staging first.


Update the Host OS

Server operating system updates are just as important as application updates.


Data Protection


Encrypt Data at Rest

Use full-disk encryption or application-level encryption for sensitive data.


Regular Backups

Backup everything daily. Test restores monthly. Store backups offsite.


Limit Data Retention

Don't keep data longer than necessary. Purge logs, old sessions, and unused accounts.


Monitoring


Log Everything

Centralize logs from all applications. Look for unusual patterns.


Set Up Alerts

Alert on failed login attempts, unusual traffic patterns, and resource anomalies.


Monitor for Vulnerabilities

Use tools like Trivy to scan container images for known vulnerabilities.


TinyPod Security Features


  • Automatic HTTPS on all deployments
  • Container isolation between applications
  • Network isolation between users
  • Firewall rules managed at the platform level
  • Automated backups with encrypted storage