Operator surface, not public theatre
The checkup is intentionally admin-only. It is not a public healthcheck endpoint and not a marketing badge; it is a private operator surface for seeing which deployment and account choices still need attention.
- The page can turn signals into a readable 0-10 posture score.
- Warnings are phrased as concrete threat vectors rather than vague security color.
- The output belongs behind admin authentication because it describes hardening gaps.
Deployment signals
Cotton can inspect process and container posture such as .NET diagnostics, Linux dumpability, effective UID, no-new-privileges, seccomp mode, ptrace capability, writable root filesystem, Docker socket exposure, host PID namespace hints, core dump settings, and AppArmor or SELinux confinement.
- These checks catch easy-to-miss self-hosting mistakes.
- They help separate a home-trusted deployment from a publicly exposed one.
- They do not replace host hardening or a real deployment review.
Key and account signals
The page can warn about master-key source, public or demo mode, and admin accounts without 2FA. That matters because storage encryption and passkeys are only useful when operators can see how the instance is actually configured.
- Browser unlock can keep the master key out of deployment environment metadata.
- Environment key mode can still be practical for trusted home servers that need unattended restart.
- Admin 2FA coverage is visible instead of being buried in user settings.
Database integrity rollout
Database integrity signatures are part of the posture story. The checkup can warn while bridge mode remains enabled so operators know when protected metadata is still in a rollout state.
Cheap hardening first
The practical target is not paranoia from the first boot. Cotton makes cheap hardening layers visible: non-root runtime path, disabled .NET diagnostics, dumpability reduction, no-new-privileges, seccomp, 2FA coverage, and avoiding obvious Docker socket exposure.
Expert hardening stays explicit
Read-only root filesystems, custom seccomp or AppArmor profiles, encrypted swap, kernel ptrace settings, TPM/HSM/KMS, or a separate key agent can be valuable, but they are expert choices. Applied blindly, they can break volume permissions, debugging, previews, or restore workflows.
Signals the checkup can name
The checkup can report public account creation, master-key source, admin 2FA coverage, database-integrity bridge state, .NET diagnostics, Linux dumpability, seccomp, CAP_SYS_PTRACE, writable rootfs, Docker socket exposure, likely host PID namespace use, core dump limits, core_pattern, and AppArmor or SELinux confinement.
Visible security is easier to fix
Self-hosted security cannot be treated as assumed. Cotton is stronger when the admin UI says what is risky, why it matters, and which ordinary hardening steps are still missing.
The hard boundary
Cotton does not pretend software can defeat full host compromise. If an attacker can execute code inside the Cotton process, software flags cannot fully hide the in-memory key from that process. These checks mostly reduce accidental exposure, dump surfaces, and neighbor-process/container privilege risks.