CottonAdmin security checkup
Admin security checkup

Stop guessing whether your self-hosted instance is hardened.

Cotton turns self-hosted security posture into an operator screen. The checkup names concrete risks such as key source, public mode, admin 2FA, diagnostics, dumpability, seccomp, ptrace, Docker socket exposure, writable rootfs, confinement, and database integrity rollout state.

Operator checkContainer postureAdmin 2FAKey sourceDatabase integrity

Operator surface, not public theatre

The checkup is intentionally admin-only. It is not a public healthcheck endpoint and not a marketing badge; it is a private operator surface for seeing which deployment and account choices still need attention.

  • The page can turn signals into a readable 0-10 posture score.
  • Warnings are phrased as concrete threat vectors rather than vague security color.
  • The output belongs behind admin authentication because it describes hardening gaps.

Deployment signals

Cotton can inspect process and container posture such as .NET diagnostics, Linux dumpability, effective UID, no-new-privileges, seccomp mode, ptrace capability, writable root filesystem, Docker socket exposure, host PID namespace hints, core dump settings, and AppArmor or SELinux confinement.

  • These checks catch easy-to-miss self-hosting mistakes.
  • They help separate a home-trusted deployment from a publicly exposed one.
  • They do not replace host hardening or a real deployment review.

Key and account signals

The page can warn about master-key source, public or demo mode, and admin accounts without 2FA. That matters because storage encryption and passkeys are only useful when operators can see how the instance is actually configured.

  • Browser unlock can keep the master key out of deployment environment metadata.
  • Environment key mode can still be practical for trusted home servers that need unattended restart.
  • Admin 2FA coverage is visible instead of being buried in user settings.

Database integrity rollout

Database integrity signatures are part of the posture story. The checkup can warn while bridge mode remains enabled so operators know when protected metadata is still in a rollout state.

Cheap hardening first

The practical target is not paranoia from the first boot. Cotton makes cheap hardening layers visible: non-root runtime path, disabled .NET diagnostics, dumpability reduction, no-new-privileges, seccomp, 2FA coverage, and avoiding obvious Docker socket exposure.

Expert hardening stays explicit

Read-only root filesystems, custom seccomp or AppArmor profiles, encrypted swap, kernel ptrace settings, TPM/HSM/KMS, or a separate key agent can be valuable, but they are expert choices. Applied blindly, they can break volume permissions, debugging, previews, or restore workflows.

Signals the checkup can name

The checkup can report public account creation, master-key source, admin 2FA coverage, database-integrity bridge state, .NET diagnostics, Linux dumpability, seccomp, CAP_SYS_PTRACE, writable rootfs, Docker socket exposure, likely host PID namespace use, core dump limits, core_pattern, and AppArmor or SELinux confinement.

Visible security is easier to fix

Self-hosted security cannot be treated as assumed. Cotton is stronger when the admin UI says what is risky, why it matters, and which ordinary hardening steps are still missing.

The hard boundary

Cotton does not pretend software can defeat full host compromise. If an attacker can execute code inside the Cotton process, software flags cannot fully hide the in-memory key from that process. These checks mostly reduce accidental exposure, dump surfaces, and neighbor-process/container privilege risks.

Operator proof

The checkup should show the exact risk, not a vague warning.

Cotton does not sell the admin score as a magic shield. It is a practical surface for finding obvious exposure before the instance is treated as public infrastructure.

Admin security screenDeployment posture is visible as concrete warnings and remediation context, not a vague production checklist.

Process and container

.NET diagnostics, Linux dumpability, effective UID, no-new-privileges, seccomp, ptrace, writable rootfs, Docker socket, host PID hints, core dumps, and confinement.

Keys and accounts

Master-key source, public/demo mode, and admin accounts without 2FA are surfaced as operator decisions instead of hidden deployment trivia.

Metadata posture

Database-integrity bridge state tells operators whether protected SQL metadata is still in rollout posture.

Honest boundary

Hardening signals reduce exposure. They do not beat host compromise.

If hostile code runs inside the Cotton process, software cannot fully hide the in-memory key from that process. The checkup is still valuable because many real self-hosting failures are accidental: diagnostics left open, dump surfaces enabled, Docker socket mounted, weak admin posture, or public mode forgotten.

  • Keep the checkup admin-only.
  • Use browser unlock when env metadata is a concern.
  • Require 2FA for admins on exposed instances.
  • Avoid Docker socket mounts and unnecessary host privileges.
  • Validate hardened compose changes before relying on them.
  • Keep backups and restore testing outside this score.
FAQ

Direct answers

Is the security checkup a public healthcheck?

No. It is an admin-only operator page because it exposes deployment posture and hardening gaps. Public healthchecks should not reveal those details.

Does a high score mean the instance is unhackable?

No. The score is a practical posture summary, not a security guarantee or audit result. Host compromise, bad backups, exposed secrets, and weak operational practice still matter.

Why warn about COTTON_MASTER_KEY in the environment?

Environment key mode can be useful for unattended home-server restarts, but deployment systems can retain env metadata. Browser unlock keeps the key out of that metadata at the cost of manual unlock after restart.

Can hardening break normal operation?

Yes. Read-only filesystems, custom profiles, or aggressive container restrictions can break volume permissions, debugging, previews, or restore paths if applied without testing.