Why Self-Hosted Apps Need a Security Foundation
The security problems every self-hoster faces—and how to solve them with complete isolation, runtime protection, and ephemeral secrets.
What is Kdral?
Kdral is a security layer for self-hosted apps. You do not need to master multiple configuration languages or security frameworks. Connect your server through the dashboard and the system handles all of it.
The Analogy
Cloudflare protects your website. Kdral protects your server.
Cloudflare doesn't replace your website—it protects it. DDoS mitigation, WAF, caching. Similarly, Kdral doesn't replace your deployment platform—it protects it.
You can run Coolify, Dokploy, or Komodo inside Kdral and get complete isolation without changing your workflow.
Deploy container platforms with one click
From your Kdral dashboard, deploy your favorite container platform — Coolify, Dokploy, or Komodo — with complete isolation. Your workflow stays the same, but now with real security.
This post explains the architectural principles that guide Kdral—not the specific technologies (those are implementation details), but the why behind our design decisions.
The Foundation Matters
Most infrastructure tools treat the operating system as a given. Install a distro, then layer Docker on top, then orchestration, then monitoring, then security. Each layer adds complexity and potential failure modes.
We rebuilt the foundation. Our server transformation creates an environment where updates don't break things, rollbacks are instant, and every configuration is reproducible. That's the prerequisite for everything else working reliably.
Why server transformation?
The Kdral dashboard connects to your server and transforms it into a hardened deployment platform. One setup wizard, automatic hardening, and your foundation is ready.
Isolation Must Be Real
Containers revolutionized deployment, but they share resources. A container escape compromises everything on the host. Namespace isolation is software policy, not hardware boundary.
Kdral uses complete isolation instead. Each application runs in its own protected environment. The isolation boundary is enforced by hardware, not by software policy.
| Aspect | Containers | Kdral |
|---|---|---|
| Resources | Shared with host | Dedicated per app |
| Isolation | Software (namespaces) | Complete |
| Startup | Fast | Equally fast |
| Container escape risk | Compromises host | Contained in isolation boundary |
The result
You get complete isolation with excellent performance. A compromised container inside Kdral stays contained—isolated from other apps and the host.
Each App = Its Own Environment
Here's what most people miss about container platforms like Coolify or Dokploy: all your apps share the same container runtime. Same resources, same blast radius.
A CVE in one app can compromise all apps. A container escape in Ghost gives attackers access to your Plausible analytics, your Postgres database, your Redis cache—everything running on that host.
The shared resource problem
In Coolify: CVE in app A = risk to apps B, C, D, and everything else on the host.
In Kdral: CVE in app A = contained in app A only. Apps B, C, D are completely isolated.
In Kdral, each app runs in its own isolated environment. Ghost cannot see Plausible. Plausible cannot see Postgres. Each application has its own dedicated resources with hardware-level boundaries.
| Scenario | Coolify/Dokploy | Kdral |
|---|---|---|
| Ghost vulnerability exploited | Attacker can pivot to other containers | Attacker trapped in Ghost only |
| Container escape | Full host access, game over | Escape hits isolation boundary, not host |
| Exploit escalation | Compromises all containers | Only affects one app |
| Network sniffing | Can see traffic from other apps | Isolated network per app |
Each app in its own environment
Your dashboard shows all deployed apps with their isolation status. Three apps means three completely isolated environments. A Ghost vulnerability is isolated from Plausible — complete separation.
Isolation by design
Each app has its own environment. Separate resources. Separate boundaries. Separate everything. This is defense by design.
Security is Not Optional
Traditional security tools are bolted on after the fact. Install the application, then add monitoring, then configure alerts, then hope you catch threats in time.
In Kdral, security is built into the deployment pipeline:
- Runtime Protection — Threat detection that blocks attacks in real-time. Not just logging—actual prevention.
- Hardened Environments — Every app runs in a security-audited environment.
- CVE Scanning — Automatic vulnerability scanning before every deployment with policy enforcement.
- Ephemeral Secrets — Keys exist only in RAM during runtime. Never persisted to disk.
Zero configuration security
This is not enterprise complexity. Deploy any app from the catalog with one click and security is included by default.
Session-Based Security
Here's a security feature you won't find in other self-hosted platforms: Kdral requires authentication before any operation. Your dashboard session is secured with your account credentials, and sensitive operations require additional verification.
Session-based security
Even if someone gains access to your server via SSH, they cannot control your Kdral apps or access secrets without authenticating through the dashboard. Your infrastructure is protected by a separate authentication layer.
Think of it as a security boundary around your entire infrastructure. Attackers who compromise SSH still can't list apps, stop services, access secrets, or modify configurations without proper authentication.
Why this matters
SSH access alone is not enough. An attacker with your SSH key still needs to authenticate with Kdral to do anything meaningful. Two separate authentication layers, two separate barriers.
| Aspect | Traditional Tools | Kdral |
|---|---|---|
| SSH access grants | Full control of infrastructure | Nothing without dashboard authentication |
| Session management | Always unlocked | Automatic session timeout |
| Stolen laptop risk | Attacker has full access | Authentication required |
| Compromised SSH key | Game over | Still need dashboard access |
Dashboard sessions expire automatically after inactivity. This isn't about inconvenience—it's about limiting the window of opportunity. Even if you forget to log out, Kdral logs you out automatically.
Strict access control
Nothing works without authentication. Not app management, not secrets, not configuration. This is how serious infrastructure should behave.
Secrets Deserve Respect
API keys in environment variables. Database passwords in .env files committed to git. Credentials shared over Slack. This is how most teams handle secrets, and it is terrifying.
Kdral protects secrets with ephemeral keys that rotate automatically:
- Never stored in plaintext
- Never transmitted unencrypted
- Never logged
- Secrets exist only in RAM during runtime—they never touch disk
Manage secrets securely
Add and manage secrets through your dashboard. Secrets are encrypted and injected into your apps at runtime — they never touch disk and never appear in logs.
Zero-knowledge secrets
When your app starts, it receives secrets in memory. Nothing on disk. Nothing to steal from a compromised filesystem.
Simple Setup, No Dependencies
Installing infrastructure tools often requires... other infrastructure tools. You need Docker to run Kubernetes, Terraform to provision the cluster, Helm to deploy applications, and three more tools to monitor it all.
Kdral is different. Request access, add your server through the setup wizard, and you're ready to deploy. No package managers, no runtime dependencies to manage on your server.
Getting started
- Request access at ping@kdral.com
- Add your server using the setup wizard
- Deploy apps from the catalog with one click
Why this matters
When something breaks at 3 AM, you want to click a button—not debug a dependency chain.
Offline-First
Most modern tools assume constant internet connectivity. License checks, telemetry, feature flags, update pings. If the vendor's servers go down, your infrastructure stops working.
Kdral operates offline by design:
- Licenses work offline—your infrastructure never depends on our servers
- No telemetry or usage tracking
- Applications run without phoning home
- Updates are pulled when you choose, not pushed automatically
Your infrastructure, your control
Your infrastructure should not stop working because someone else's cloud had an outage.
Predictable Costs
PaaS platforms make money from usage-based pricing. The more successful your application, the higher your bill. A viral moment becomes a financial emergency.
Kdral has fixed pricing:
| Plan | Apps | Price |
|---|---|---|
| Warhorse | Unlimited apps per server | $29/month |
| Phantom | Unlimited + Dark Forest | $500/month |
| Fleet | Unlimited + Enterprise | Custom |
No bandwidth charges, no request metering, no surprise invoices. You pay for the capability, not the usage.
The Security Layer Philosophy
Here's the key insight: Kdral doesn't ask you to change how you work.
If you love Coolify's UI for managing containers, keep using it. If Dokploy fits your workflow better, use that. If you prefer Komodo's approach, go for it. Kdral sits underneath as the security foundation.
| Without Kdral | With Kdral |
|---|---|
| Coolify on Docker, shared resources | Coolify with complete isolation |
| Container escape = host compromise | Container escape = isolation boundary |
| Secrets in .env files | Secrets only in RAM |
| Hope nothing gets in | Runtime protection stops anomalies |
The bottom line
Your workflow stays the same. Your security level goes up.
Conclusion
Kdral exists because we wished it existed. We were tired of YAML files, dependency hell, surprise bills, and security afterthoughts.
The architecture is not clever for the sake of being clever. Every decision—solid foundation, complete isolation, runtime protection, offline-first operation—solves a real problem we experienced ourselves.
You shouldn't need a PhD in DevOps to deploy a web application securely. That's the principle. Kdral is the implementation.
The Bottom Line
Security should be invisible until you need it. Kdral handles the hard parts so you can focus on shipping.