Sveltia CMS

Appearance

Security

Security is a top priority for Sveltia CMS. This document outlines the security features of Sveltia CMS and provides best practices for securing your CMS installation.

Our Approach

Sveltia CMS employs multiple layers of security measures to protect your data and ensure a safe content management experience. Our security approach includes the following features and practices:

Security Features

  • XSS protection - HTML sanitation is performed using the DOMPurify library. The unpatched XSS vulnerability in Decap CMS does not affect Sveltia CMS. The sanitize_preview RichText field option defaults to true.
  • No proxy required - The local workflow eliminates attack surfaces from compromised dependencies and unauthorized API access.
  • Secure contexts only - HTTPS is required for all site content and CMS configuration.
  • Automatic security headers - The same-origin referrer policy is automatically set.
  • Simplified CSP - No unsafe-eval or unsafe-inline needed in script-src.
  • Signed commits - GitHub commits are automatically GPG-signed and verified.
  • Signed uploads - Media uploads to Uploadcare are signed using secure API keys.

Security Practices

  • Dependency security - Constant updates, pnpm audit, and Dependabot alerts deal with vulnerabilities quickly. ncu’s cooldown option and pnpm’s minimumReleaseAge option protect against supply chain attacks.
  • Transparent releases - We use pnpm, Vite, GitHub Actions, and npm package provenance for verifiable, reliable releases.
  • Frequent releases - Regular releases ensure users get the latest security fixes and improvements promptly.
  • Publishing security - Trusted publishing and 2FA enabled.
  • Security policy - Published security policy for responsible disclosure.

What You Can Do

To protect your Sveltia CMS installation and data, follow these best practices:

  • Keep your Sveltia CMS installation up to date. If you use the CDN version, you’ll always get the latest version unless you specify an exact version number in the URL. If you self-host, regularly check for updates and apply them promptly.
  • Set up PKCE authentication for your Git backend if possible. Sveltia CMS supports quick PAT authentication, but it’s mainly for individual developers and not recommended for multi-user teams, especially when non-technical members are involved.
  • Set up two-factor authentication (2FA) for your Git instance.
  • Keep your Git instance up to date if you’re self-hosting it.
  • Use HTTPS for your site to ensure secure communication between the client and server. All major hosting providers use HTTPS by default. If you self-host, consider using Let’s Encrypt to obtain free TLS certificates. Sveltia CMS doesn’t work on HTTP sites.
  • Set up Content Security Policy (CSP) for your site. See the section below for recommended policies.
  • Do not disable the sanitize_preview option for RichText and Markdown fields unless you fully understand the implications. Disabling this option may expose your site to XSS attacks if untrusted users can edit content.

Setting up Content Security Policy

If your site adopts Content Security Policy (CSP), use the tool below to generate a CSP header based on your specific configuration and deployment setup. You can copy the generated header and add it to your server configuration or use it in a <meta> tag in your HTML.

Backends
Media Storage Providers
Stock Photo Providers
AI Integrations
Map Providers
Video Embeds
CI/CD Providers
Merged CSP
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' blob: data:;
media-src blob:;
frame-src blob:;
script-src 'self' https://unpkg.com;
connect-src 'self' blob: data: https://unpkg.com;

Base valueAdded by selected service

Allowing All Image Sources

If you have image field(s) and expect that images will be inserted as URLs, you may want to allow any source using a wildcard instead of specifying individual origins:

img-src 'self' blob: data: https://*;

Recommended CSP for Media Libraries

Please refer to the documentation for your specific storage provider for recommended CSP directives, as they typically depend on your configuration (e.g. custom domain vs default endpoint) and may require allowing specific origins for API calls and asset URLs.

Note for Netlify/Decap CMS users

Sveltia CMS does not require the unsafe-eval and unsafe-inline keywords in the script-src CSP directive. Also, the script-src CSP directive is not required for the Cloudinary integration to work, as we implemented it without using their hosted widget script.

About UNPKG origin

UNPKG is used not only to download the CMS script bundle, but also to check for the latest version and retrieve additional dependencies such as PDF.js and Prism language definitions.

Released under the MIT License.

Copyright © 2026 Kohei Yoshino