How we secure self-hosted AI stacks

Every stack we ship goes through a baseline hardening pass before handover. None of it is glamorous, but the absence of any one of these steps tends to be visible only after something goes wrong.

TLS is non-negotiable. We default to Caddy with automatic certificate provisioning — it removes one of the more common failure modes in the post-handover period (expired certs).

Authentication sits in front of every admin surface. n8n's editor, OpenWebUI's settings, the vector store dashboards — all behind an authenticated reverse proxy, never exposed directly. Where the threat model justifies it, we add IP allowlisting or VPN-only access for the editor while keeping the chat surface accessible.

Fail2ban handles SSH. UFW or equivalent locks down everything else. We log to journald and rotate aggressively.

Credential rotation is the one most teams forget. We document the process during handover and run through it together — not so we have access, but so the team knows the muscle memory before they need it.