00:00:00you probably heard about, read about the Vercel security incident that happened on April 19th.
00:00:07This episode is not about this incident. You find a link to it below if you want to learn more about
00:00:13it. A link to this official bulletin article. But instead I want to focus on one statement,
00:00:20a certain notion I could feel or see and read on X and other platforms after this incident,
00:00:27which was that now it's time to move to a VPS and use a VPS for hosting your webapp instead of using
00:00:34Vercel. And of course you could insert any managed hosting provider name here instead of Vercel,
00:00:41because they all come with the same advantages and disadvantages in the end.
00:00:48So is it now finally time to use a VPS instead of a managed provider?
00:00:54I think there are many good reasons to use a VPS, but security is not one of them. It's definitely
00:01:01not one of them. And it would be easy for me to tell you that you should absolutely move to a VPS,
00:01:08because I actually just released a course on VPS Essentials, where I get you started with
00:01:15doing stuff on a VPS, setting it up, configuring it, doing SSH hardening, running a web app on it.
00:01:20And obviously I recorded and created that course before the incident happened. So it's just a
00:01:26coincidence. And I could now totally tell you that you should use a VPS and take that course.
00:01:32And obviously I want you to take this course, but I don't want you to use a VPS for security reasons.
00:01:38There are reasons to use a VPS, I'll get back to them, but security is not one of them.
00:01:42Because what you have to understand is that security obviously, and you probably know that,
00:01:48is a complex topic. And when using a VPS, you are the problematic factor. When using a managed
00:01:58service like Vercel, we saw that an employee in case of this Vercel security incident was
00:02:05the problem, if you want to call it like this, though the actual problem was of course the
00:02:09internal setup, how certain things worked inside of Vercel and how easy one compromised
00:02:18user or employee account could affect the entire system. That was the actual problem.
00:02:23So of course that is something you depend on. You depend on the security measures implemented by
00:02:30your provider, by Vercel for example, obviously. But if you are using a VPS, it's just you.
00:02:38And let's face it, security is a complicated topic. In that course I mentioned, I do show you how to
00:02:46properly set up a VPS, how to harden it so that no one else can connect to it through SSH. That's
00:02:54one important step. I do show you how to ensure that you got automated package upgrades so that
00:03:00your software on the VPS stays up to date, at least to some extent as far as this is possible
00:03:07in an automated way. But of course security doesn't stop there. I mean, we have attacks like the
00:03:12React server components vulnerabilities we had last year. We have vulnerabilities like this, which
00:03:18actually this specific vulnerability would allow attackers to take over your machine and control
00:03:25it, to run code on your machine. And the only way to defend against this is to keep your packages
00:03:32updated once a patch was released for React and Next.js in this specific case. And obviously
00:03:39that's just one example. There are many building blocks in a web application and in general in a
00:03:44system that runs a web application that could become vulnerable or where vulnerabilities could
00:03:49be detected. Now, if you were using Vercel, you actually would get some automatic protection by
00:03:58them because as soon as the vulnerability was discovered, they implemented some automated
00:04:06measures, some protection through their web application firewall service that could help
00:04:12defend against this attack. Now it didn't guarantee protection, but it was an extra layer, an additional
00:04:17layer. So you got some protection without you doing anything in case of this specific attack when using
00:04:24Vercel. And of course the same may have been true for other providers. So if anything, security gets
00:04:31easier when using a managed service like Vercel, despite them of course still also being vulnerable
00:04:39as we saw attacks like this one here in April can happen. But with a VPS, it's all your job.
00:04:47And that of course has its disadvantages. Now, of course, there also are reasons to use a VPS though,
00:04:56and those existed before that security incident because they have nothing to do with security.
00:05:02And a big one of course is cost. VPS can be very cost effective. You can rent some
00:05:10Hetzner VPS for a couple of dollars per month and you know that you'll only be paying that
00:05:16amount of money per month. Whereas with managed providers like Vercel, the pricing system can be
00:05:24complex. And you may incur unexpected costs. We regularly see people posting that they were charged
00:05:34way more than they anticipated. And it's pretty much always the fault of these people, don't get
00:05:39me wrong, but it's to some degree also the fault or deliberately done by providers because they of
00:05:46course have an incentive to make it complex. Let's put it like this. Now they of course also have an
00:05:52incentive to have happy customers on the other hand. So it's not that easy. There aren't the
00:05:57bad guys and the good guys. But of course with a VPS, you definitely can be very cost effective
00:06:03and you know what you'll be paying, which of course is great. And chances are high that you can run
00:06:11certain web applications that might cost you dozens of dollars, maybe hundreds of dollars
00:06:17on a managed provider for just a few dollars like $20 or something like that on a VPS. That is
00:06:24absolutely possible. And I would say this is one of the biggest advantages and the most important
00:06:31reasons for choosing a VPS over a managed provider. Obviously that's not new, but that is what you
00:06:36should be focusing on, not the security aspect. Instead, you should be aware of the fact that
00:06:41security will be your responsibility and comes with its own challenges. Challenges you can master,
00:06:48but challenges. Another advantage of a VPS of course is flexibility. You can effectively do
00:06:57anything on a VPS because it's just a computer. It's just a computer, just a machine, typically with
00:07:06Linux on it. Obviously you can also rent VPS with other operating systems, but Linux is the default,
00:07:11also what I use in my course. And you can install on that system, whatever you want. You can run on
00:07:17that system, whatever you want. For the most part, some providers, most providers block certain ports
00:07:22related to email, but regarding normal workflows, normal applications, you can really do anything
00:07:28there. You can create new users. You can configure this as you want. It's your machine essentially,
00:07:33as if it were standing in your room to some degree. And of course, with managed providers,
00:07:40you are limited to what the provider supports. And one good example I have here is that Vercel,
00:07:46for example, does not support SQLite. While it can't be used with Vercel, we do offer other
00:07:55storage solutions. SQLite is not supported in Vercel. So if you're building a web application
00:08:01and you want to use SQLite as a database, which is a great choice for many web applications,
00:08:05it's not just a development toy. It's a really production ready, easy to use, easy to set up,
00:08:11easy to manage, and therefore overall great database solution, but you can't just build it,
00:08:18run it locally on your machine and then deploy it as is on Vercel. Just doesn't work. Does work
00:08:24if you're using a VPS though. Again, that's actually one example I use in my course. An
00:08:29application I built there as a demo application that uses SQLite that you can just put and run on
00:08:36a VPS just like that. So you have way more flexibility. Again, the disadvantage here is
00:08:43you need to have the willingness to learn how to work with Linux, for example. Obviously,
00:08:51AI can help with that. AI assistance can help you. It's way easier now than it was in the past,
00:08:56in my experience or in my opinion, but you have to have the willingness to dive in there.
00:09:01With a managed provider, you typically just push your application to GitHub and if everything's
00:09:09configured properly, it will just deploy the updated version and you don't need to worry
00:09:13about anything. Rolling back to older versions is simple. It's simple. That's the advantage,
00:09:19but the price for that is limitation. VPS has a lot of flexibility, but the price for that is
00:09:25complexity or that you have to have the willingness to dive into that and get the technical knowledge
00:09:31or dig into the details to make things work and to configure things properly. It's always a trade-off.
00:09:38But, and that is really important to me here, I think AI helps a lot here. Not just, of course,
00:09:45with generating code and all that stuff, but it can really help with configuring a VPS,
00:09:51with understanding Linux commands, conjuring up all these complex Linux command chains where you
00:10:00have one complex command and you pipe the output into another one. That is the part where I can
00:10:07make working with a VPS so, so much easier. And therefore, I think using a VPS for hosting
00:10:14web application, for running certain workflows or for running an AI agent like OpenClaw,
00:10:20definitely a good idea. In many situations, you just have to know the price, which is a
00:10:25bit more complexity and for you, the willingness to learn how things work and how to configure things.
00:10:32Managed providers, great. If you want ease of use, you'll be paying money for that. As always in life,
00:10:37ease of use typically costs money, but yeah, it is simpler. It's as simple as that. If security
00:10:45is what you're looking at, yeah, go with a managed provider. It's definitely not easier and not more
00:10:51secure when using a VPS.