OK, I’ll hold my hand up, that’s me. 
I have the duckdns addon, in configuration.yaml I have:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
…even though it makes it difficult to use the HA app, and I have two-factor authentication enabled. What else should I be doing?