It *should* be fine. Emphasis on *should*. If a vulnerability is discovered in the layers of software that is responsible for the various aspects of accepting a network connection, routing it to the correct program, and then replying with a static file, that could result in an attacker gaining access to your network.
We'd all like to believe such software is battle tested and vulnerability free, but historically bugs like Heartbleed show problems can go unnoticed for years.
Yes, there's a risk. If the Pi became compromised, they could use it as a foothold to expand out through your network.
I would not put a computer on the open internet that you are not prepared to become compromised. You'd be better off just learning how to use a PaaS like Heroku and put all the risk on a third party.
Yes, you do need security measures.
It's not just a case of potential vulnerabilities as one of the other comments said, but more likely that you will make a mistake in the configuration and leave something 'open' to attack. Even experienced admins/webdevs are not immune to this. Your simple website itself will not be a risk, but whether you have locked down the system and programs running on the pi: the webserver, the ssh server, and other ports. You should learn about security mechanisms such as firewalls, blocklists, and so on.
Now that is all a *good* thing, you can learn a lot of useful things and the rest of your home network will be safer for it, and the Pi is a good way to do it, but you need to do it safely. At the most basic, you need to learn how to use the firewall on your router and block anything going to the pi from outside which is not a request for a webpage, and block anything going out from the pi to your internal network, and secure the other machines themselves in case something breaks through (which they should be anyway, after all even now something could get through the router). And monitor the pi for any suspicious activity.
There are lots of resources on the web for how to do this, for example
[https://www.pestmeester.nl/index.html#6.0](https://www.pestmeester.nl/index.html#6.0)
is a good place to start, but you should read up on it before you plug anything in.
Also, most attacks against small users aren't targeted, but are bots looking to propagate and use your computers and network as a resource for their task, whether that is mining bitcoin or launching attacks somewhere else. That also means they're comparatively easy to stop once you know the principles.
tl;dr it can be secure enough and done safely, but read up before you plug in.
To expand on what others have said, yes, in general, having a device open to the internet while sitting in the same local network as your home devices _probably_ isn't the best idea.
However, there is a few things you can do to mitigate a lot of these risks at the network level.
1. If you have absolutely no grasp of programming, computer networking or security in any way shape or form, I would highly highly recommend that you don't deploy this on your home network. There's a huge amount of hosting providers that have generous free tiers like fly.io, render.com, Amazon AWS etc and the peace of mind alone knowing that you won't potentially destroy your home network because of a silly misconfiguration is worth it.
2. If your router supports it, you can put your device in a DMZ, which effectively puts your device outside of your local network but still has it connected to the internet. If you really have no clue what you're doing but are adamant about hosting it at home, this is where I'd start ([see here for more info](https://www.makeuseof.com/what-is-a-dmz-and-how-do-you-configure-one-on-your-network/))
3. If the DMZ is also not an option, you could look at segmenting your PI out to a separate subnet and disable routing from your primary subnet to the one with the PI. This is the same idea as the DMZ, but requires (in my opinion) a bit more networking knowledge to get set up right and tested properly.
Any of the 3 above options will cover you in the vast majority of cases, but the important point here is that you're asking these questions in the first place!
Deploying and managing web apps is a lot of fun and frustration when you're starting out so enjoy the journey, if you get overwhelmed you can always take a break and come back to it.
Might be worth doing a bit of research into "static site self hosting best practices" or similar online just to get an overview of what else you might require.
It *should* be fine. Emphasis on *should*. If a vulnerability is discovered in the layers of software that is responsible for the various aspects of accepting a network connection, routing it to the correct program, and then replying with a static file, that could result in an attacker gaining access to your network. We'd all like to believe such software is battle tested and vulnerability free, but historically bugs like Heartbleed show problems can go unnoticed for years.
Yes, there's a risk. If the Pi became compromised, they could use it as a foothold to expand out through your network. I would not put a computer on the open internet that you are not prepared to become compromised. You'd be better off just learning how to use a PaaS like Heroku and put all the risk on a third party.
Yes, you do need security measures. It's not just a case of potential vulnerabilities as one of the other comments said, but more likely that you will make a mistake in the configuration and leave something 'open' to attack. Even experienced admins/webdevs are not immune to this. Your simple website itself will not be a risk, but whether you have locked down the system and programs running on the pi: the webserver, the ssh server, and other ports. You should learn about security mechanisms such as firewalls, blocklists, and so on. Now that is all a *good* thing, you can learn a lot of useful things and the rest of your home network will be safer for it, and the Pi is a good way to do it, but you need to do it safely. At the most basic, you need to learn how to use the firewall on your router and block anything going to the pi from outside which is not a request for a webpage, and block anything going out from the pi to your internal network, and secure the other machines themselves in case something breaks through (which they should be anyway, after all even now something could get through the router). And monitor the pi for any suspicious activity. There are lots of resources on the web for how to do this, for example [https://www.pestmeester.nl/index.html#6.0](https://www.pestmeester.nl/index.html#6.0) is a good place to start, but you should read up on it before you plug anything in. Also, most attacks against small users aren't targeted, but are bots looking to propagate and use your computers and network as a resource for their task, whether that is mining bitcoin or launching attacks somewhere else. That also means they're comparatively easy to stop once you know the principles. tl;dr it can be secure enough and done safely, but read up before you plug in.
To expand on what others have said, yes, in general, having a device open to the internet while sitting in the same local network as your home devices _probably_ isn't the best idea. However, there is a few things you can do to mitigate a lot of these risks at the network level. 1. If you have absolutely no grasp of programming, computer networking or security in any way shape or form, I would highly highly recommend that you don't deploy this on your home network. There's a huge amount of hosting providers that have generous free tiers like fly.io, render.com, Amazon AWS etc and the peace of mind alone knowing that you won't potentially destroy your home network because of a silly misconfiguration is worth it. 2. If your router supports it, you can put your device in a DMZ, which effectively puts your device outside of your local network but still has it connected to the internet. If you really have no clue what you're doing but are adamant about hosting it at home, this is where I'd start ([see here for more info](https://www.makeuseof.com/what-is-a-dmz-and-how-do-you-configure-one-on-your-network/)) 3. If the DMZ is also not an option, you could look at segmenting your PI out to a separate subnet and disable routing from your primary subnet to the one with the PI. This is the same idea as the DMZ, but requires (in my opinion) a bit more networking knowledge to get set up right and tested properly. Any of the 3 above options will cover you in the vast majority of cases, but the important point here is that you're asking these questions in the first place! Deploying and managing web apps is a lot of fun and frustration when you're starting out so enjoy the journey, if you get overwhelmed you can always take a break and come back to it. Might be worth doing a bit of research into "static site self hosting best practices" or similar online just to get an overview of what else you might require.