Onion services operators need to practice proper operational security and system administration to maintain security.
For some security suggestions please make sure you read over Riseup's "Tor Hidden (Onion) Services Best Practices" document.
Also, here are some more anonymity issues you should keep in mind:
- As mentioned here, be careful of letting your web server reveal identifying information about you, your computer, or your location.
For example, readers can probably determine whether it's thttpd or Apache, and learn something about your operating system.
- If your computer isn't online all the time, your onion service won't be either.
This leaks information to an observant adversary.
- It is generally a better idea to host onion services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.
- The longer an onion service is online, the higher the risk that its location is discovered.
The most prominent attacks are building a profile of the onion service's availability and matching induced traffic patterns.
- Another common issue is whether to use HTTPS on your onionsite or not.
Have a look at this post on the Tor Blog to learn more about these issues.
- To protect your onion service from advanced attacks you should use Vanguards addon, read Tor blog about Vanguards and Vanguards' Security README.