I am developing a platform, the details don’t matter, but it’s a system the hosts personal data. As a result, I want to avoid hosting users in any way, and I am trying to make it as easy to self-host as possible.
I have some experience self hosting applications and I have some intuuition what to do or don’t, but I wanted to see if I can pull from the collective wisdom.
Got any good resources to share? Any tips? Or, maybe some bad experiences or things to avoid?
I think you’ll have to learn a bit about security. There is no one article, but entire books written about that… And it really depends on the type of service, the used frameworks and the intended deployment.
I’d have a look at similar software. There are tons of open source projects that handle sensitive information. From files like Nextcloud to contact sync to ticketing and payment information.
Edit: I’d leave Docker as an afterthought, since some people recommend that. It’s deployment, not development. And not a means of stopping user data getting leaked or stopping login brute forcing.)
A good place to start is the owasp cheat sheet. They provide up-to-date, high value information about software security, I wish there was a resource like this when I started learning about security.
Even though, I have a decent background in software security, it’s hard to decide on an encryption schema that’s both safe and easy to use. My goal is to increase the number of components an attacker has to compromise in order to get access to the data.