[dabernathy89]

I always wonder, for folks who self-host on Droplets or EC2 - how do you handle provisioning the server to ensure that it's secure and has everything you need? I use Laravel Forge for this. I'm not a server admin and don't want to pretend to be.

[OrangeMonkey]

For droplets and ec2, you 'own' the inside of the virtual machine and its your responsibility to install software that you need and patch it according to a routine schedule.

That said, both services have firewall rules you put in place that help manage this. IE - you may expose SSH to your local ip address, but only port 80/443 for the rest of the world.

You are right though - its another attack vector. If you don't want to muck with that, and you have a static site, you could put your static site into S3 and then host with cloudfront. With that, you have no risk.