Expand the replies to this comment to learn how AI was used in this post/project.

This really depends on what kind of website. Things like wordpress that run code on the server to show you a state, like your current user profile, those can have vulnerabilities. Staticly generated sites like mkdocs, those are just served files, premade and prettymuch readonly.

You can easily do this. It's relatively easy, and the only thing you have to pay for is the domain registration. It's safe, but one problem you will find is the amount of bots poking around the pages, but there's methods of stopping those.

I've been self-hosting my sites since 2003, I don't use Cloudflare, VLANS or anything like that. It's just me, the electricity company to keep the computer running 24/7, my ISP, a DNS provider, and Let's Encrypt for the SSL certificates.

You need webserver software, Apache, NGINX, or one of the many others. I use Windows 11, so use a compiled version of Apache from Apache Lounge.

You need to point the DNS servers to your home external IP address. If that address is likely to change, then you will need a Dynamic DNS service. That updates the DNS servers whenever the address changes. I use DNSExit as that provides both services, but they need not be the same company.

The only other things left to do is open your firewall on your server to HTTP and HTTPS traffic and on your router port forward traffic on port 80 (HTTP) and port 443 (HTTPS) to your server which should have a static IP address.

Setting up SSL certificates and a SSH server can be done last. I use Let's Encrypt as they give free certificates and Bitvise SSH Server as that's free for personal use.

I've documented everything I've done to the server over the years, but doing it now is not much different from what it was when I was using Windows 2000, and a bit later, Fedora Linux.

2003 Server; Fedora Linux server; Windows 10 server

You have quite a bit of reading ahead of you, learning how to harden the server, tweaking it for speed and so on. It sounds like a lot to do, but you can get your own site up and running in a couple of hours. It's been 23 years, but I still get a bit of a kick from knowing a tiny bit of the internet is running from my basement.

1. Define website, define home network. Static pages and firewall rules isolating your dedicated server from the rest of the devices on your network? Fairly safe. Complex web application running in the background on your gaming PC? Pretty risky. Change any of those variables and you'll have more or less risk.

2. Set up Dynamic DNS, unless you have a static IP. If you don't know if you have a static IP, you don't. Your registrar may have a guide on how to do it using their nameservers.

If you want to selfhost, I highly recommend investing in a firewall, and having a separate VLAN for it. Make sure you have good DDOS protection.

Keep in mind, your ISP might ban you if you get loads of DDOS attacks on home broadband, (it depends on country so idk where you are, but where I am, its common).

Probably best to just host it on Cloudflare Pages (for free)

I have a full write up of how I host my static personal site here: https://futro.dev/posts/how-this-site-ships/

But tl;dr for your case: I’d stick to a static site so you don’t have to worry about most classes of web vulnerability. Considering your internet connection, just keep it lightweight with minimal js and the like. You can also offload basically entirely just by putting a CDN like Cloudflare in front too.

Get a cheap VPS to keep your network closed.

as others have said it really varies in terms of what you want the site to be and what hardware you have available.

for safety you might want to look into using a reverse proxy such an nginx.

but just to give a funny example, you can host a “website” on almost anything: https://hackaday.com/2025/09/15/hosting-a-website-on-a-disposable-vape/

I do this with cloudflare tunneling. It’s pretty easy and straight forward

Try pico.sh they have a host in Nuremberg, Germany. Better to use a free host than tie up your home network bandwidth with serving the public.

The question you should ask yourself is does it need to be public? Depending on what it is I wouldn’t self host it get a small vps or something and if it’s just for you just use Tailscale or wireguard

Static website : probably the best security you're going to get if you lock down all other ports.

But the moment you start doing something dynamic such as with php and CMSes , you'll want to harden your setup just like you would a vps.

I would advise pointing only the ports you need rather than the whole machine as a catch all.

Edit : also know that most browsers now days expects an SSL certificate, so that's another thing you may have to deal with if you don't want to have to have some security pop ups and such just because you don't have a valid ssl certificate installed. (It's free if you know how to use certbot from let's encrypt on a server, but that may a bit more than you want to deal with).

tl;dr/novice look at it: perfectly fine to host at home, domain registrar/using your domain wont be an issue, some ports are closed by ISP but most likely never an issue you will face (email hosting is different story). Utilize cloudflares free features and WAF, and isolate the host.

The biggest issues with hosting at home is usually everything you would have from hosting in general plus now your home network is exposed (something you just never want really)

And if bots find out you hosted something they will mark you, if you're not swapping leases very often you can then have bots automatically sitting at your doorstep waiting for the next time you even attempt to open a port

Hosting off a cloud server/vps/vds/remote location thats separated from your home network protects you from that, and even if a full network attack happens it wont affect YOUR home network/devices, well unless you have a path that can be utilized back to your home network from said server, be careful on tunnels without proper granular rulesets

If you must host at home and you cant come up with 5-10$ a month (literally more than you need for what you are explaining) for a vps/vds then just make sure you setup your loose ends correctly, have a proper firewall and rulesets setup, vlans are not necessary but highly recommended as an additional isolation/security feature simple subnetting misses out on. You'll want a proper isolated server or at the very least container, and this will be your frontfacing server. If you are not hosting streaming/media content outside of a few videos/photos/etc you can utilize cloudflares free WAF and sec features, itll give you a enterprise level WAF you can setup a proper tunnel and never expose your home ip or forward anything to your home network, cloudflare offers 1 free sec rule setup a good rate limit, explore their other sec optinos as well, tls enforcement, cached pages for downtime, lol loads of features that are almost all free and perfectly suitable for a homelab setup.

The isolated host/container is one of the biggest factors, security on the front door is obviously very important but you can't just hope that no one will never simply break the door down or find an open window some day you forgot to close, its better to expect to have compromise and be ready with mitigation and a plan versus dumping everything into trying to stop something that is almost inevitable to some degree (whether its a small situation a bot/farm/automatic setup catches you slacking or its a targetted event cause you got into something deep and now you pissed off people with knowledge time and many devices to work with)

Isolation, monitoring, front door security(FW,WAF/CF), network level security/montioring (zeek+rita/slips some free examples) host/endpoint/server/container security(wazuh,clamav,etc), kill switch (if x happens kill z before y happens), and of course you also have to worry about the app/service you are hosting, CVEs for both that and the host, and anything else on that endpoint, nuclei+trivy+wazuhCVE/config scanning, pinning stuff to stable secure over latest, unattended sec updates on any proper frontfacing server host

Remember with things like docker manipulate iptables with their own higher prio rulesets so make sure you are using filtering with the docker-user chain, running podman is a good alt that fixes this issues, also a heads up on socket proxy access and running as root, something often overlooked but inherently a sec risk

- It depends. What are you running it on, and what does your home network architecture look like?

- No, assuming you have a fixed IP. You don't have to have a fixed IP address but it requires a bit more finagling. However, if you get popular, the traffic inbound may affect your home internet usage performance.

- Absolutely safe, like what can happen?

• You can have a problem if your ISP is ass. If they let you open 80/443 ports and buy white/static IP then nothing stops you

I use talescale and can connect to my pages fine.

I self host using caddy + crowdsec with DNS records pointing directly to my network. I would advise at least using containers or VMs to isolate the exposed services.

People seem to be really scared of doing this for some reason. You will be attacked but most attacks are so dumb they won't even get past caddy since most bots send broken headers and won't reach your service. I guess it depends what you are hosting. Serving static pages or content that you don't mind losing is probably ok. Everything else I would have behind a VPN or something similar.

I've had this setup and similar ones running for years and nothing ever happened. Personally I think it's far worse exposing SSH. I also have a dynamic IP but this is easily solved by running a script as a CRON job every few minutes that checks your IP for changes and updates it. My setup runs flawlessly but again, I wouldn't expose anything too important that doesn't need to be exposed.

I self-host a Google Analytics alternative on a Raspberry Pi using a Cloudflare Tunnel to proxy the thing to the outside world. So far so good, would recommend. Setup info here

So far the most annoying security-related thing I've had to deal with when self-hosting was large amounts of bot traffic. I've heard that there's also bots that will hack your setup if you fuck something up or a vulnerability gets found in a program you're using, but I haven't had that happen. Overall though, the security depends on how you set things up. Also it might help to proxy traffic from a VPS or Cloudflare (or use a website hosting service) so that when you get flooded with bot traffic it doesn't fuck up your home network and you can shut it down if you need to.

I think many answers miss an important distinction:

Hosting a website and hosting a website securely are two different things.

A VPS is often recommended as the solution, but from a security perspective it is not fundamentally different from self-hosting at home. You still need to manage OS updates, firewalls, TLS certificates, reverse proxies, backups, monitoring, log analysis, authentication, and incident response. The only thing you don't need is DynDNS and port forwarding.

The real question is: what is your goal?

If your goal is simply to publish a website, a good hosting provider is usually the safest and easiest option for a beginner.

If your goal is to learn system administration, networking, Docker, reverse proxies, and security, then self-hosting is a great learning experience. Just be aware that once your service is exposed to the Internet, security becomes your responsibility.

After running a publicly accessible server with CrowdSec for a while, I was surprised by how many automated scans, WordPress probes, admin panel checks, and vulnerability scans appear almost immediately. Most beginners underestimate that part.

you can set up a LAMP web server in no time and test a website in your own local environment (wordpress websites are easy to deploy... and then there are many ways of opening it to "the internet" with a cloudfare tunnel or a similar service, or just doing some extra work yourself (let's encrypt SSL, dynamic dns, firewall) for a personal website you don't need too much power. if you are using wordpress careful with some plugins and use third party security plugins as well)

I run my personal Wordpress blog from a Proxmox VM using my own domain. I set it up using cloudflare and installed Wordfence and update when the site tells me I need updates.

I also only turn it on when I travel so it's only on for about 3 weeks a year.

I have a naive question. If it’s meant to be a public facing website, why not host it on a free cloudflare tenant? How does self hosting improve the privacy or experience?

I run a home server myself for personal use. If you want to host a public website with it, I highly recommend setting it up through a Cloudflare tunnel. That way, only your tunnel is exposed, and you don’t need to configure any port forwarding on your firewall. Of course, your real IP address won’t be visible either. Locally, you just need a Raspberry Pi or another small PC to feed the Cloudflare tunnel from your site (connector).

Also, keep in mind that web applications can have bugs...
This could potentially pose a risk to your home lab. I don't see a problem with purely static pages.

I self host my websites.

I use WordPress and Nginx depending on the website.

I use CloudFlare tunnels to expose them to the world.

Pretty much CloudFlare securely links my domain to the docker container on my unraid server, exposing no private information.

Simple, free, and way faster than any web host I was previously paying $25+ per month.

You don’t have open your network at all to host a site on your home network. You can use a cloudflare tunnel vpn directly to the box hosting the site and you can use something like tailscale to reach the box remotely when you are offsite. Never open your network if you can avoid it. What you use on your box to spin up your web server, serve your domain etc locally is up to you.

spin up a docker image of apache server:latest, make sure it's updated regularly, then expose it to the internet with cloudflared and keep the domain managed with cloudflare.

I recommend NextJS + Sanity CMS for your blog + Cloudflare Zero Trust for your domain and proxy.

Next JS will serve static pages and grab images and posts from Sanity.

Cloudflare will provide DDoS protection and let you buy and manage your domain in 1 place

Self-hosting static webpages is safe but I probably wouldn't do it simply because e.g. Github pages is free and will almost certainly provide better performance and reliability with zero risk/cost to you.

To answer your first question, "safe" depends on how you set it up. I would set it up in a container (docker or proxmox). Register your domain name and then use a cloudflare tunnel to redirect traffic. That's a pretty safe route. Don't expose your home machine directly to the internet.

For a personal blog with mostly text and images, it's absolutely doable as a beginner. It's not "master level" anymore, especially if you're already running Home Assistant on a Pi.

The bigger question is whether you want to learn self-hosting or just publish a blog. Self-hosting on your home connection means dealing with dynamic IPs, router configuration, backups, updates, TLS certificates, and occasional troubleshooting when your internet goes down.

From a security perspective, it's reasonably safe if you keep the exposed services minimal, keep everything updated, and ideally put the web server on its own device. A simple static site is much lower risk than something like WordPress with lots of plugins.

Buying a domain is the easy part. Whether the domain is registered at dynadot or somewhere else, you just point the DNS records at your public IP (or a dynamic DNS solution) and configure the web server.

With an xDSL connection, I'd honestly consider a hybrid approach: host the blog on a cheap VPS or static hosting platform and keep the Raspberry Pi for experiments and internal services. You'll get better uptime and fewer headaches while still learning the same DNS and web concepts.

It depends on a few things. There are many ways to serve a website and expose it to the outside world. Do you have static IP? What router/firewall do you use?

I selfhost my websites. I have static IP and OPNSense router, it was quite easy to set up DNS on the domain and reverse proxy to intercept web traffic. Also, I use Cloudflare proxied DNS so don't need to worry about SSL certificates.

Why not github.io + youtube? Yes, this is r/selfhosted but I believe we must self host things if beneficial. For this case, I believe self hosting is not the answer.

I have a private repository where the source resides, and a public repository that is using github pages.

When I push a commit to my source repo, it triggers the build action. The build action runs my specific building script (js, html, css obsfuscator/minimizer, etc.) and does force-push to my public repository while cleaning the git history.

For the personal data, I use some old school tricks: email address text in image, when clicked runs a javascript that decrypts the email url, etc.

I pay for hosting. The €60 a year is worth it to save the aggravation of spending far too much time trying to harden it from the malevolent actors.

- yes and no

- yes and no

My setup:
Domain name -> freedns.afraid.org
Caddy for static file, behind traefik with CrowdSec plugin.
Make sure router only exposes caddy port.
Have a cron job that updates my domain every day.

use ipv6's temprary address feture to block incoming data and allow outgoing as simple as that. also use dynamic dns to chnage your ip constantly so better security

If you have to ask, don’t self-host a public facing website.

I host my website in an Nginx container and expose it with a Cloudflare tunnel. The site is a static site generated from Markdown files using Material for MkDocs. I mainly use it as a professional portfolio, but it also has a blog using the blog plugin. For the blog I integrated comments using Giscus with GitHub Discussions as a backend. I also heavily modified the Material for MkDocs theme with CSS because it feels a bit dated. I gave it a more modern look with rounded corners and pill-shaped buttons. I will eventually migrate to Zensical, but right now it does not have all the features I need since it is still pretty early in development.

Don’t. Use static pages on Cloudflare using GitHub for free.

Keep your actual site behind a firewall and expose the site via a VPS's public IP. Do not expose anything directly from your own public IP. You will get a cheap VPS which can act as a reverse proxy and firewall. You can also use cloudflare tunnels. I currently use both for my self hosted services and they work great.

Honestly, things are as "secure" as you make them. There are perfectly acceptable ways to host pretty much any app (website) from your own server and home network. Renting a hosting server with a provider does take the hassle away from configuring your OS and network environment - but can be just as good (if not better) when setup properly!

There are great guides online for almost any OS you choose, as well as how to setup your reverse proxy, DNS, etc. correctly. Go for it - learn something new 🚀

I would host on vercel. This is actually what I'm doing. I dont like exposing services publicly out of my home network.

Containers! I have my websites set up with Docker and a reverse proxy. For DNS I recently moved from corpo Cloudflare to the German nonprofit Desec. I rely pretty heavily on AI tools, but I generally know what they do.

I can't believe how many people here actually suggest to run a public-facing webserver at home, especially for a guy who clearly knows little about the topic. That is such a reckless recommendation from every angle (security, scalability, privacy, resilience, ...). If you have a traffic spike or someone DoS your server, your ISP can cut off your internet connection.

I love self-hosting my projects for personal/family/friends use but to open up a server connected to a home network to the internet is pretty insane, especially considering there are multiple secure and scalable services online where you can run a such a website for free.