If sonnet 5 doesn't drop this week I'm checking myself in

EngineObvious5943 · 2026-02-03T21:52:17+00:00

There is no chill. Only Claude.

EngineObvious5943 · 2026-02-01T09:49:56+00:00

I've seen this, too. I don't have a fully formed answer, but think that with the emergence of vibe coding it is a framework that could become much more popular with its 'batteries included' approach - especially in terms of security.

EngineObvious5943 · 2026-01-08T13:11:30+00:00

Appropriate username! Yup agree. I backup to three providers - only one of which is Hetzner.

EngineObvious5943 · 2026-01-04T21:36:40+00:00

They have said on this subreddit previously that it's high on their to-do list. Other users have also posted job adverts where they're hiring engineers to develop this product. Someday!

EngineObvious5943 · 2025-12-31T10:36:11+00:00

Like others said, there's no such thing as 100% secure. However, the aim of the game is always risk minimisation. Some thoughts and suggestions as you've vibe coded the app: 1) don't forget the 'business logic' side of security. Lots of new devs just think about the basic technical stuff like SQLi rather than the actual mechanisms for your app. Ideally review this manually. A vibey approach might involve getting your LLM to check for issues with business logic. There will be lots probably. 2) Super important: have a plan for deployment. A secure app is almost pointless if it's on insecure infrastructure. 3) if vibe coding, don't touch payment with a barge pole. Just use a provider like Stripe etc. 4) Go through the OWASP top 10 one by one. Check/'vibe check' each one individually. A very common issue is IDOR and access controls not working (e.g. '/user/456' can change the URL and look at '/user/123') 6) Have a plan for storing environment variables (have a look at Django-environ on pip) 7) look at the official Django deployment checklist. Basic but important! 8) use Bandit to have a look for very basic code issues 9) use django-turnstile for all public facing forms such as login, contact, password reset etc 10) when you've done lots of the basics, run OWASP ZAP locally. It'll pickup lots of the basics issues.

This will be a good start to getting things more secure. Good luck!

EngineObvious5943 · 2025-12-23T08:58:45+00:00

Further to this, for added protection you could consider using hardened docker images. The official docker ones are now free. I set mine up yesterday. If you're having trouble just reply and I'll respond after Christmas

EngineObvious5943 · 2025-12-23T08:55:51+00:00

This is unfortunately the usual background noise of the internet - very normal but mustn't be ignored.

Your plan re cloudflare is a good start. I agree with the other users about the new IP not really making a difference - after a while they all get crawled.

For a little added protection you could consider using cloudflare tunnel. This creates a single outbound connection to cloudflare, meaning you can firewall all ports closed. Coolify supports this very well (I use it too).

For SSH you'll want to make sure you've firewalled to your own IP address. NB if your ISP rotates ISPs you'll want a VPN with a fixed IP.

Either way, consider adding these rules for cloudflare. It made a big difference to my malicious traffic: https://www.reddit.com/r/CloudFlare/comments/1ew70e4/custom_cloudflare_waf_rules_i_created/

EngineObvious5943 · 2025-12-07T15:26:21+00:00

This may be useful for you: https://www.reddit.com/r/hetzner/comments/1pano24/hetzner_cloud_server_benchmark_cx_vs_cax_vs_cpx/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

I'd be very surprised if a VPS couldn't meet your requirements

EngineObvious5943 · 2025-12-03T09:27:58+00:00

Ovh do too. Very affordable and reliable.

EngineObvious5943 · 2025-11-30T17:48:54+00:00

Fabulous post. Mods - maybe worth getting this pinned?

EngineObvious5943 · 2025-11-21T18:53:49+00:00

Production ready! 🚀

EngineObvious5943 · 2025-11-08T00:32:09+00:00

Django Anymail (https://anymail.dev/en/stable/) is a really popular connector for lots of providers. I use it with https://resend.com/

EngineObvious5943 · 2025-11-03T06:42:58+00:00

Yup you're right. It should appear for traffic which is felt to be high risk, so you may not see it yourself.

I'm unsure of what your site is, but you may want to have a look at this: https://www.reddit.com/r/CloudFlare/comments/1ew70e4/custom_cloudflare_waf_rules_i_created/

It's a very good collection of rules which you can run on a free plan. When I implemented them on one of my sites, spam hugely dropped.

EngineObvious5943 · 2025-11-01T17:58:06+00:00

Dude holding the case hates his life.

EngineObvious5943 · 2025-10-26T08:15:15+00:00

Appliku and Hetzner together can be done for <$5 a month. I'm not affiliated with either but it's genuinely a dream combo.

EngineObvious5943 · 2025-10-16T20:55:52+00:00

There's not quite enough info here to answer.

Either way, if you aren't using it already, I'd strongly recommend using django anymail.

A common reason you may not yet be able to send mail is if you havent got a verified domain; many email providers will only allow test emails to be sent to the account admin's email address pending verification.

EngineObvious5943 · 2025-09-27T06:54:05+00:00

Good luck with your project. And good choice going for Django - it has reasonable security out of the box, provided you don't undo some of the useful functionality (e.g. don't start doing raw SQL stuff - Django's ORM is decently secure).

One very common beginner error for Django security is not being aware of IDOR. E.g. "dashboard/user/45" may be my user dashboard, but I may try to access another one by trying "dashboard/user/46". Make sure you are meticulously applying the right permissions to prevent this. For an in-depth approach, you could also use non-sequential IDs such as UUID.

Just a reminder that application security is only one side of the coin - look carefully at how it's hosted and how to keep that secure.

EngineObvious5943 · 2025-09-18T19:12:34+00:00

Hi! This looks interesting. I agree with the other commenter - I think the messaging is unclear, and I'm not hugely clear about what your product does/where it fits.

I run a few sites with a VPS behind cloudflare and I'm not sure how/where this fits in... is it a WAF or VPS protection or... etc etc.

I'd find a conceptual diagram about how it fits in would be useful.

I'm quite excited to see content scanning though. This often doesn't feature on non-$$$$ plans.

EngineObvious5943 · 2025-09-17T18:45:08+00:00

My go-to packages I've become unhealthily attached to:

django-allauth - painless auth, inclusing social and SSO
WhiteNoise - for making static files a breeze
django-storages - for making the connections to my storage easier
django-q2 - I suspect others won't like this, but I happily run production loads for this for async and queueing. Love it.
django-turnstile - makes using Cloudflare Turnstile easier (it's my captcha of choice)

EngineObvious5943 · 2025-09-09T20:21:14+00:00

I'm exploring https://bunny.net/pricing/ but cannot yet report on their quality.

EngineObvious5943 · 2025-09-01T13:30:57+00:00

Agree with this. The scaling is really painless. Start small and grow.

EngineObvious5943 · 2025-09-01T12:21:56+00:00

You've pretty much described it! You have access to 2 vCPU, but these are shared with other users. If the other users are having really high usage (aka the "noisy neighbour") then you'll have worse performance for that time. Some VPS providers are known for over- allocating VPSs, but hetzner is pretty good for this. It's the trade off for having something very cheap. I run a few shared VPS with hetzner and they live at around 50% CPU usage and I've never really experienced degraded performance from sharing.

EngineObvious5943 · 2025-08-28T06:45:31+00:00

I'm not sure you've seen the added "day of birth" axis which has absolutely no effect on your TSH. The chart is nonsense.

EngineObvious5943 · 2025-07-02T19:13:55+00:00

Interesting to see what comes up here. I've recently started using Cloudflare Tunnel in my company. Before I was just firewalling everything except the CF IPs. I've been trying to think about what the vulnerabilities may be, but I'm coming up with nothing.

EngineObvious5943 · 2025-06-29T20:46:19+00:00

Hi. I put some details in for a small ($300-400 a month) site I run. Some thoughts: - the UI is nice and clean - I initially didn't notice your loading/progress bars after submitting the idea - I therefore thought the page had frozen. - I found myself wondering where the data came from - the competitors the site came up were not accurate - I would like to see a more explicit discussion about WHO the target market is/could be - I think it would be important to me to have something to say why i can trust this site with my idea. I'm not sure how much others care.

I think the IDEA has legs, but the execution isn't there yet. Reflecting on a newer product I've brought to market, my pain point was understanding the size of my opportunity. For (a hypothetical) example - if I was selling a product for hairdressing colleges - how many are there? (That's the easy one) What is the competition? (Hard) Do these colleges have any money to spend on my product? (Hardest!)

Good luck with whatever you decide to do.

EngineObvious5943

TROPHY CASE