One extra layer I put on my externally facing sites is a simple auth prompt (after redirect to https!) as an unlikely-to-have-a-compromise gate before any logon for a self-hosted service. You can make it a fairly easy to remember username/password for anyone you want to share your self-hosted apps with, since its a mostly irrelevant extra step just to guard against exploits in more complicated software stacks
I started using traefik as my loadbalancer which supports authentication middleware. I rigged up keycloak and forward-auth to handle external services that either do not support authentication or has a weak security profile. A poor man’s zero trust setup.
Neat! Thanks for the tip.
I might integrate this in some of my auth, but I'll probably keep using simple auth at the very front due to its old age and absolute simplicity making exploits unlikely
