server
5 articles with this tag
Security inventory — 7 checks people running several servers overlook
For solo/small operators, incidents come less from missing controls than from untracked state. The boundary is the PC holding your keys. Tier 2FA by root of trust, matrix your SSH keys to kill duplicates/unused/orphans, remove plaintext passwords from the cloud, remediate reversibly one at a time, and keep secrets out of the ledger. Inventory before adding tools.
Did you leave a secret file in a public directory? Audit your webroot
Anything in your webroot is fetchable by URL by anyone. A leftover token/credential JSON, .env, or backup means instant exposure — and if it came from a shared template, every site has the same hole. Fix: put only publicly-shareable things in the public dir, keep secrets outside the webroot at perms 600, and once you find one, audit every site and host.
Self-hosted Git vs GitHub: which is actually more secure?
Self-hosting Git doesn't make you 'more secure' — it relocates the risk. The accidental-public-exposure class disappears, but patching the server, backups, and pre-commit secret detection move onto you. The right call if you pay the price; worse than GitHub if you neglect it. This site's view: self-hosting only works bundled with its compensating controls.
Don't give root keys to environments that can be compromised: SSH key least privilege
Registering a root key into production from an ephemeral, compromisable environment (GPU pod, CI runner, throwaway VM) means that the moment the environment is compromised, production is taken with root. Fix: no root keys on ephemeral environments; remove keys when unused; if needed again, use a non-root user plus a command-restricted key that limits the key to one operation. A reused key is your most critical asset — never build a 'one leak, everything' setup.
Keeping .env off the public web on shared hosting
The real fix: app body outside the docroot, only public/ exposed. Stop the bleeding with .htaccess, make it permanent by restructuring, then self-check. This site's view: this isn't one person's slip but an industry-standardized bad pattern — fix it with process, not vigilance. bootstrap-redirect beats symlink.