What makes the JAMstack secure?

Security is a huge concern when building for the web. Even with countermeasures in place, keeping websites safe from attack can seem like an endless endeavor. This is especially the case in monolithic server side setups where countless third party plugins are exposed to enable administrators easy access to content and configurations. However convenient they may be, they create a massive surface area for malware penetration. Because they require frequent (and often buggy) updates, plugins are notoriously insecure. Sites that heavily rely on plugins and the frequent update cycles they demand, therefore often run the risk of either breaking or being pwned altogether. The need for such setups to be constantly running and available further increases the surface area for attack. Every site visit demands a trip to the server and a re-execution of the build. This results in critical endpoints being exposed and increases the overall risk for attack.

As trivial as this may seem, reducing a website’s vulnerability to attack can be achieved by simply going static. In a static setup, files are read only and there is no real code or build process to be run. Though servers are still involved in a JAMstack setup—mainly to run the build process—they remain in relative obscurity since only built static files are exposed to the public via a CDN. Moreover, the distributed nature of the JAMstack API ecosystem mean that services are incredibly decoupled from one another. In the event that the CDN or an external facing API were to be compromised, you can still remain confident that the underlying infrastructure is safe and the safety of your site is not in jeopardy. With no databases, plugins, or dynamically running builds, the risk of code injection on a JAMstack style site is dramatically reduced.

JAMstack or not, security on a site is never 100% guaranteed and a robust security strategy requires some effort. HTTPS is one obvious and simple way to get started with making your JAMstack sites secure. For more convincing on why you’d want HTTPS on your static JAMstack setup, check out this timelessly relevant post over on the Netlify blog.