That’s an interesting perspective. I am pretty paranoid and I run the backend API in docker from a non-root user. I am pretty paranoid but kinda clueless doing all of this myself, I did use an ssh key that requires a yubikey to login to the VPS and I don’t store any secrets on the VPS it‘s all managed via GitLab.

I’m just getting started, so there’s not even a DB currently, not yet needed. I would want to run everything over k8s eventually, and was considering hosting gitlab myself for the experience and because I can’t afford paying for the CI/CD stuff.

Does it make sense to run everything on a separate instance from a security perspective? I’m already having nightmares from thinking about the networking between all of that :D

Thanks, this is reassuring. Yeah I don’t really know what I’m doing with the headers but trying my best to be as restrictive as possible. I think I’m still doing something wrong with the headers because I can’t seem to connect to the backend when the fronting is deployed.

Yeah I’m super paranoid about what I’m exposing, I made sure that there are no environment variables or secrets exposed.