[superkuh]

You don't have to enable port forwarding to get your router exploited. I'd argue that port forwarding has neither positive nor negative effect on your router's security.

I've been hosting from home for 20+ years and I've never been troubled. But I only run static websites.

[rank0]

Yeah like I said I realize I am being paranoid but there are far fetched scenarios where serving static sites from home could compromise my home network.

Take the recent log4j vulnerabilities. Serving static content and logging trivial fields like request headers would lead to RCE. If that box can route to my home router, and my router has a defect available through routersploit, my network is completely pwned.

A network isolated VM with a tunnel to a remote vps would stop that particular attack.

All that being said…if a sophisticated adversary is targeting me I have to concede there are much easier routes to take.

I’m a security engineer at my day job so I may have conditioned myself into excessive fear.

[superkuh]

A static webserver is just the webserver in my mind. If you use something like nginx you are only going to be surprised by a remote exploit about once every two decades. Yeah, if you use some sprawling set of 'apps' that use things like Log4j on top of your server you're exposing attack surfaces.