Tor Onion Service Security Best Practices

• Bind services to localhost only — Your web server (Nginx, Apache) should listen on 127.0.0.1, not 0.0.0.0. If it binds to all interfaces, anyone can access it without Tor.
• Firewall everything — Block all incoming connections except from localhost. Only Tor should be able to reach your web server.
• Don't serve the same content on clearnet and .onion — If the same unique content is on both, correlation can reveal your server.
• Remove identifying headers — Disable Server, X-Powered-By, and other headers that reveal software versions.
• Disable access logs — Don't log visitor IPs (they're Tor exit nodes anyway, but the practice matters).

• Use a dedicated server for the onion service — don't share with other services
• Keep Tor, web server, and OS fully updated
• Use AppArmor or SELinux to restrict Tor's permissions
• Run services as non-root users with minimal permissions
• Disable unnecessary services (sendmail, avahi, cups, etc.)
• Use unattended-upgrades for automatic security patches

• DDoS protection — .onion services are vulnerable to DDoS. Use OnionBalance for load distribution and rate limiting in your web server.
• Guard discovery attacks — Use Vanguards (included in recent Tor versions) to protect your guard nodes from being identified.
• Application security — SQL injection, XSS, and other web vulnerabilities can be exploited to reveal server information. Audit your application.

Getting all of this right is complex and a single mistake can compromise your anonymity. AnubizHost provides pre-hardened Tor hosting where all these security measures are already in place. We handle the infrastructure security so you can focus on your content.