Selfhosted

40246 readers

867 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

PHP and security (lemmy.world)

submitted 1 year ago* (last edited 1 year ago) by witten@lemmy.world to c/selfhosted@lemmy.world

29 comments fedilink hide all child comments

The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don't install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language's fault—or at least a contributing factor.

Maybe this isn't fair. Maybe PHP is just more accessible to new devs and so they're more likely to gravitate to it and make security mistakes. Maybe my perception isn't even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it's so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it's just out of date.

To be clear, I'm not trying to stoke the flames of a language holy war here or anything. I'm honestly asking: Is it maybe time to revisit my anti-PHP policy? I'm looking longingly at some federated software like Pixelfed and wondering if maybe I'm just being a little too close-minded.

So I'm interested in your own experiences and polices here. Where do you draw the security line for what you will or won't host, and what made you make that choice?

you are viewing a single comment's thread
view the rest of the comments

[–] witten@lemmy.world 1 points 1 year ago

That all seems prudent and reasonable. I guess some of my own anxiety is about how exactly I'll evaluate projects like you're talking about. I can (and do) certainly look at whether a project is actively developed before selecting it. Not just for security reasons.. I don't want to bet on a horse that won't get updated with fixes and features. But for security in particular, I guess I was hoping for ways to evaluate that for a project.. without exhaustively poring over its source. Maybe, to your point, the other mitigations you listed should be sufficient, and I should worry more about that side of things than picking the perfect project.