What Makes the JAMStack Secure?
up vote
0
down vote
favorite
Every description of the JAMstack seems to mention "security" as benefit, e.g.:
The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.
https://www.contentful.com/r/knowledgebase/jamstack-cms/
delivers better performance, higher security, lower cost of scaling, and a better developer experience.
https://jamstack.org/
I really don't understand what's "more secure" about it. All I am seeing are quotes like this:
developers could leverage the expertise of third-party services to enhance the security features of your website/app
So, in short, is the only "security" here coming from the fact that Auth0, Octa, or whoever else is supposed to be good at security because it's their focus? Or am I missing something?
Edit, found one more quote:
With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.
https://builtvisible.com/go-static-try-jamstack/
So, it seems like most of the "security" is just not having wordpress?
javascript security jamstack
asked Nov 10 at 19:07
VSO
1,92084090
add a comment |
up vote
0
down vote
favorite
Every description of the JAMstack seems to mention "security" as benefit, e.g.:
The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.
https://www.contentful.com/r/knowledgebase/jamstack-cms/
delivers better performance, higher security, lower cost of scaling, and a better developer experience.
https://jamstack.org/
I really don't understand what's "more secure" about it. All I am seeing are quotes like this:
developers could leverage the expertise of third-party services to enhance the security features of your website/app
So, in short, is the only "security" here coming from the fact that Auth0, Octa, or whoever else is supposed to be good at security because it's their focus? Or am I missing something?
Edit, found one more quote:
With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.
https://builtvisible.com/go-static-try-jamstack/
So, it seems like most of the "security" is just not having wordpress?
javascript security jamstack
asked Nov 10 at 19:07
VSO
1,92084090
1
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Every description of the JAMstack seems to mention "security" as benefit, e.g.:
The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.
https://www.contentful.com/r/knowledgebase/jamstack-cms/
delivers better performance, higher security, lower cost of scaling, and a better developer experience.
https://jamstack.org/
I really don't understand what's "more secure" about it. All I am seeing are quotes like this:
developers could leverage the expertise of third-party services to enhance the security features of your website/app
So, in short, is the only "security" here coming from the fact that Auth0, Octa, or whoever else is supposed to be good at security because it's their focus? Or am I missing something?
Edit, found one more quote:
With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.
https://builtvisible.com/go-static-try-jamstack/
So, it seems like most of the "security" is just not having wordpress?
javascript security jamstack
asked Nov 10 at 19:07
VSO
1,92084090
Every description of the JAMstack seems to mention "security" as benefit, e.g.:
The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.
https://www.contentful.com/r/knowledgebase/jamstack-cms/
delivers better performance, higher security, lower cost of scaling, and a better developer experience.
https://jamstack.org/
I really don't understand what's "more secure" about it. All I am seeing are quotes like this:
developers could leverage the expertise of third-party services to enhance the security features of your website/app
So, in short, is the only "security" here coming from the fact that Auth0, Octa, or whoever else is supposed to be good at security because it's their focus? Or am I missing something?
Edit, found one more quote:
With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.
https://builtvisible.com/go-static-try-jamstack/
So, it seems like most of the "security" is just not having wordpress?
javascript security jamstack
javascript security jamstack
asked Nov 10 at 19:07
VSO
1,92084090
asked Nov 10 at 19:07
VSO
1,92084090
edited Nov 10 at 21:58
asked Nov 10 at 19:07
VSO
1,92084090
asked Nov 10 at 19:07
VSO
1,92084090
asked Nov 10 at 19:07
VSO
1,92084090
1,92084090
1
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36
add a comment |
1
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36
1
1
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Yes, that basically it.
Having "no wordpress" means:
- No Wordpress, Drupal, Jumla, MySQL, etc...
- The webserver side (IIS, Apache, Nginx) maybe still here if you are not using 3rd party cdn but easier to update and mitigate because it only serve static files, no need to manage php python complicate cgi plugins and dependencies.
- No stored XSS, only reflected.
It dramatically narrows down the attack surface.
answered Nov 11 at 14:19
yeya
450513
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Yes, that basically it.
Having "no wordpress" means:
- No Wordpress, Drupal, Jumla, MySQL, etc...
- The webserver side (IIS, Apache, Nginx) maybe still here if you are not using 3rd party cdn but easier to update and mitigate because it only serve static files, no need to manage php python complicate cgi plugins and dependencies.
- No stored XSS, only reflected.
It dramatically narrows down the attack surface.
answered Nov 11 at 14:19
yeya
450513
add a comment |
up vote
1
down vote
Yes, that basically it.
Having "no wordpress" means:
- No Wordpress, Drupal, Jumla, MySQL, etc...
- The webserver side (IIS, Apache, Nginx) maybe still here if you are not using 3rd party cdn but easier to update and mitigate because it only serve static files, no need to manage php python complicate cgi plugins and dependencies.
- No stored XSS, only reflected.
It dramatically narrows down the attack surface.
answered Nov 11 at 14:19
yeya
450513
add a comment |
up vote
1
down vote
up vote
1
down vote
Yes, that basically it.
Having "no wordpress" means:
- No Wordpress, Drupal, Jumla, MySQL, etc...
- The webserver side (IIS, Apache, Nginx) maybe still here if you are not using 3rd party cdn but easier to update and mitigate because it only serve static files, no need to manage php python complicate cgi plugins and dependencies.
- No stored XSS, only reflected.
It dramatically narrows down the attack surface.
answered Nov 11 at 14:19
yeya
450513
Yes, that basically it.
Having "no wordpress" means:
- No Wordpress, Drupal, Jumla, MySQL, etc...
- The webserver side (IIS, Apache, Nginx) maybe still here if you are not using 3rd party cdn but easier to update and mitigate because it only serve static files, no need to manage php python complicate cgi plugins and dependencies.
- No stored XSS, only reflected.
It dramatically narrows down the attack surface.
answered Nov 11 at 14:19
yeya
450513
answered Nov 11 at 14:19
yeya
450513
answered Nov 11 at 14:19
yeya
450513
answered Nov 11 at 14:19
yeya
450513
450513
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53242461%2fwhat-makes-the-jamstack-secure%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Sounds very much like the default security advantages of any static web page, nothing special for Jamstack.
– Bergi
Nov 11 at 14:36