It's as safe as whatever software stack you'd be using on the Raspberry Pi to serve the site, same as if you'd be hosting it on a VPS in someone's cloud (though in your case if there's a vulnerability of a particular kind, someone could gain access to your local network).

Since you're not hosting the site on the router itself, presumably you're forwarding port 80 from the router to the Raspberry Pi, so unless the security of the Pi ends up being broken, the router should be safe.

(Also I'd recommend using Let's Encrypt to get an automatically-renewing TLS cert so you can serve https on port 443 as well, and even redirect port 80 to it. It's not that difficult to set up, and you'll be improving the privacy and security of those who visit your site.)

I was considering self hosting at home. If the local network should be disconnected IMHO only a DMZ will help. My router doesn't support that so the setup will be:

ISP router (with disabled wlan) <-> firewall <- home router (with wlan)

and the firewall can then separate the network by port. WAN for the firewall is the LAN Port of my ISP router.

Is that a good setup?

If it's a static site? Probably safe-ish, I suppose bots and bored teens could DDOS it. You could also choose a non-standard port, that might cut down on the noise.

Thanks! I want to learn what could go wrong. Can you point me to any resource/book to study this particular matter?

It depends entirely on what technologies you are specifically exposing. If you are serving a page with a web server application like Nginx or Apache, you should read about securing those applications. If you are writing a NodeJS application, you should read something specific to that.

If you want something very general and comprehensive, you can read this, although it is probably too involved for a basic "website": https://owasp.org/www-project-web-security-testing-guide/sta...

I would recommend you put it behind Cloudflare, it will mask your home IP address and will absorb any attacks

https://skylar.tech/create-fast-websites-from-your-home-netw...

Please don't do that. It's a terrible idea because CloudFlare will then get to decide who gets to see your website or not (and CloudFlare hates privacy tech like Tor), and also because then CloudFlare will terminate the HTTPS (TLS) connection on their side so they essentially get to know all your passwords.

I've selfhosted on 64Kbit/s modem then xDSL for years without a problem (apart from bots trying default passwords). If you are really afraid you'll run into DDOS attacks and whatnot, consider using a small 2-5$/mo VPS as reverse-proxy instead of CloudFlare to retain control of your infrastructure.

If you disable the router's remote administration feature and/or change the router's default administration password, it should be safe.

> I was planning to host a simple website on my RasberryPi using Dynamic DNS - which I think requires me to expose port 80 to the internet. Is that safe?

See if ngrok can do what you want to do