No PAID self-hosting — free + no-card-on-file providers are fine
No PAID self-hosting — free is fine
Rule
Self-hosting is fine. The only hard constraint is the underlying
provider must be free and require no card on file. The previous
"no self-hosting outside Cloudflare" rule is reversed — it was
over-strict and is now merged with no-card-on-file.md.
If a provider's free tier needs no card, you may run a long-running container, a VPS, a managed Postgres, a Docker host — anything.
Allowlist (free + no-card-on-file)
- Cloudflare Pages / Workers / KV / R2 / D1 (free tier)
- Firebase Spark plan (Auth + Firestore + Hosting)
- Supabase free tier (Postgres + Auth + Storage; no card)
- Render free tier (web services + static + cron; no card)
- Fly.io free tier (no card required for hobby)
- Oracle Cloud Always-Free (2 AMD VMs + 4 ARM VMs forever; card NOT required for Always-Free)
- GitHub Pages (static only)
- Netlify free tier (100 GB bandwidth/mo; no card)
- Vercel Hobby (no card required)
- Deno Deploy free tier
- Glitch free tier
- Any future provider whose free tier requires no card
Banlist (require card)
- AWS / GCP / Azure (card required even for free tier)
- DigitalOcean (card required)
- Linode (card required)
- Heroku (card required since 2022)
- Firebase Blaze (card required)
- Any "free trial then pay" model
Why the reversal
The original rule conflated "card on file" risk with "self-hosting" operational tax. They're orthogonal:
- Card on file is a financial risk (4-5 figure bill-shock incidents documented in
no-card-on-file.md) - Self-hosting is an ops-tax risk (patching, monitoring, backups)
Ops tax is acceptable on a free provider; bill-shock is never acceptable. So the only line that matters is the card line.
Cross-refs
no-card-on-file.md— the actual binding constraintcloudflare-pages-only.md— kept for primary web hostingno-subscriptions.md— stricter cousin (no recurring billing of any kind)