I have some simple self-hosted services running on a small Linode VPS (mostly as a useful hobby). If you are in a similar boat (one-person hobby sysadmin), I’d like to share some useful web tools I have discovered during my dabbling with my web server setup.

HTTPS

It is a good idea to serve your web-site over HTTPS as soon as you have any kind of authorization/server-side logic (and even if it’s a completely static site, it’s still a good practice to provide users with confidence in the page integrity: plain unencrypted HTTP can be messed up by any intermediate host/proxy/cache). Nowadays, HTTPS is very simple to set up using Let’s Encrypt: it’s a one-off setup procedure with automated renewal of certificates later and no beaurocracy whatsoever (compared to free, but manual and rather beaurocratic procedure of getting StartSSL certificates which I used before).

On the other hand, TLS (the base of HTTPS security) is a complicated protocol with a lot of subtleties to get right: e.g. the server should send the full chain of authority certificates (ideally excluding the root certficate authority which is installed in the OS/browser anyway, to optimize performance), the server should use reliable, modern ciphers and key exchange methods without known vulnerabilites. There are also higher-level attacks like downgrading TLS version by a middleman.

SSLLabs HTTPS test provides a good starting point for learning about these intricacies and vulnerabilities and gives helpful advice for improving the HTTPS setup.

Web security

Even a simple web-service with a couple of forms and actions might provide a surprisingly big attack surface: CSRF, clickjacking, XSS, downgrading SSL/TLS to older versions, third-party Javascript risks (e.g. even if you trust the third-party—which is usually the case!—loading script over plain HTTP might be risky).

A good place to start learning the theory is https://wiki.mozilla.org/WebAppSec and https://www.owasp.org/index.php/Cheat_Sheets.

Mozilla HTTP Observatory is a very helpful tool to check how well your HTTP server setup is equipped against common security hazards: does it send security-relevant HTTP headers, does it have HTTPS redirections from HTTP, etc.

RSS/XML/HTML5 validators

If you have RSS feeds, it’s a good idea to verify it for compliance to standards: https://validator.w3.org/feed/.

User experience

If you want your site to have modern look and good performance, particularly on mobile (which are essential for e.g. good ranking in search results), Google has a helpful tool: PageSpeed Insights.

PageSpeed Insights provides advice about page/assets size (minification of HTML/CSS/JS/images), server response time, page rendering delays, caching and compression setup of the web server and other useful things.