Apostrophe is Secure

Lock the barn before the cows get out.

Securing your Content


Apostrophe offers a full suite of security features for your content.


  • Intranet features: use Apostrophe's "login required" feature page by page, or get granular with "certain people" (and groups too)
  • Page-level editing permissions, locked down by user or by group
  • Optional piece-level permissions for blog posts, etc. by user or by group
  • Catch-all permissions for content types, by user or group
  • Automatically "embargo" your blog posts with a future publication date
  • No unauthorized link sharing: attached file permissions automatically change when content is currently "in the trash"
  • Optional workflow module addresses the need for content review before publication

Securing the Code


Apostrophe's open-source code is secure.


  • Open source: "many eyes on the code" draw attention to potential security flaws, much like the Linux operating system kernel that powers most website on the Internet
  • Secure passwords: passwords are "hashed and salted" using the widely adopted open-source credential module 
  • Single sign-on: those who prefer can rely on the security of single sign-on providers, including but not limited to Google G Suite, via our apostrophe-passport module
  • CSRF protection: CSRF/XSRF protection is standard equipment for all server requests
  • XSS protection: output escaping is standard equipment with Nunjucks
  • Used and trusted by enterprise customers
img 20170322 191945