Apostrophe offers a full suite of security features for your content.
Intranet features: use Apostrophe's "login required" feature page by page, or get granular with "certain people" (and groups too)
Page-level editing permissions, locked down by user or by group
Optional piece-level permissions for blog posts, etc. by user or by group
Catch-all permissions for content types, by user or group
Automatically "embargo" your blog posts with a future publication date
No unauthorized link sharing: attached file permissions automatically change when content is currently "in the trash"
Optional workflow module addresses the need for content review before publication
Securing the Code
Apostrophe's open-source code is secure.
Open source: "many eyes on the code" draw attention to potential security flaws, much like the Linux operating system kernel that powers most website on the Internet
Secure passwords: passwords are "hashed and salted" using the widely adopted open-source credential module
Single sign-on: those who prefer can rely on the security of single sign-on providers, including but not limited to Google G Suite, via our apostrophe-passport module
CSRF protection: CSRF/XSRF protection is standard equipment for all server requests
XSS protection: output escaping is standard equipment with Nunjucks
