After my previous server got hacked (presumably), I am now looking for new solutions to my needs. CalDAV/CardDAV is a big one.
So far I switched from a content management system (PHP) to a static site generator for my blog, and I’m not looking back.
I wonder if it makes sense to also step away from PHP wrt CalDAV/CardDAV.
As ever so often, this list has some nice info.
I’d like to keep dependencies low. Python would be a good choice because it’s already installed on my Debian Stable system. But would it be safer?
Back when I started this compatibility with clients was an issue; but I don’t use Android anymore. In any case, is this still an issue?
edit: no, I don’t use a web based app; and I’d prefer the server doesn’t require admin via web UI either.
Thanks for all your replies! I chose Radicale, already set it up. Only what is needed, simple config files. Very nice. It runs under an nginx reverse proxy and they communicate encrypted (and of course the outside is also encrypted and password-protected). And the web UI can be disabled.
The documentation is very tutorial-like and security conscious.
Security in software is about implementation, not different programming languages. Security as a whole is also not something you can achieve just by installing “secure” software - every software has bugs and vulnerabilities. Some of them are known, others are unknown and not every one of them automatically poses a security risk to you, this depends on the bug, your usage and environment. You can try to harden your system, but you need to do this in layers and the application code is just one of them.
For example, you could geoblock IP addresses so their requests never even reach your application. This does not mean that you’re automatically safe from attackers from e.g. Russia, but you make yourself a less easy target.
There are many other defense mechanisms like request limiting, dynamically blocking malicious requests with something like Fail2Ban, strong authentication, frequent patching, network segregation, virtualization, and so on. I hope you see where I’m going. Security is complex and depends a lot on your personal threat model.
That being said, if you need to know how secure the code of a given software is, you need to find something that has recently been audited or audit it yourself.