I've been working on a django Web app to manage some data for tenants. Things like their personal contact information, government ID, tenancy agreements etc (in other words, very gdpr sensitive info) as well as personally private information such as expense reports. All of this is displayed on the front end of the app as intended seeing as it's supposed to be a private tool for internal company use.
At the moment I run it at home on a local machine server so there is little risk involved however for my convenience I'd like to take the Web app live so I can access it while I'm out and about. The issue I'm having is that there really is no reason for anyone other than myself or business associates to use this app and therefore no reason for anyone else to connect to the domain.
I've considered making the landing page of the website a login page and locking all other views behind this with CSRF protection but even that is too close for comfort in my opinion as it would mean allowing external entities tor connect to the app. I'd much rather have a server which refuses any connection to the outside world straight away unless it is from me. In other words, a server which does not divulge any part of the app or database until login credentials have been correctly entered.
What I envision is that once you type in the domain and hit enter, the moment a connection is made, the server prompts you with an alert box asking for login credentials before any of the app or templates are loaded.
Is this even possible? I've never hosted any of my software online and do not want to fall into a nasty data breach situation by taking this live. At the same time it isn't ideal that the current system operates on the premise that I'm home all the time.