Guides

Security

Ensuring Data Integrity with Zesty.io's Security Features

Suggest Edits

Security Features in Zesty.io

Zesty.io is designed with a strong focus on security, providing a variety of features that ensure your content and data are protected. This article will cover the key security features of Zesty.io, including User Permissions, User Granular and Custom Roles, Web Application Firewall, Marketing Preview Password, Headless Header Passwords, Security Response Headers, Authentication options like SSO, Basic Auth, and Dev Tokens, as well as Telemetry and Audit Logs.

User Permissions

User permissions in Zesty.io allow you to control access to your site's content and settings. You can assign different permission levels to different users, ensuring that each user only has access to the parts of the site that are relevant to their role.

User Granular and Custom Roles

In addition to the standard roles, Zesty.io enables you to define custom roles with granular permissions. This means you can create roles that exactly fit your team's needs and workflows, providing precise control over who can do what in the CMS.

Web Application Firewall

Zesty.io features a built-in Web Application Firewall (WAF) that helps protect your site from common web threats. The WAF filters, monitors, and blocks unwanted HTTP traffic to and from your web application, safeguarding your data from potential attacks.

Marketing Preview Password

The Marketing Preview Password feature allows you to secure your preview environments with a password. This ensures that your content can only be previewed by authorized users, preventing unauthorized access.

Headless Header Passwords

Zesty.io offers the ability to secure your headless endpoints with header passwords. This provides an extra layer of security, ensuring that only authorized users and applications can access your data.

Security Response Headers

Zesty.io supports the use of security response headers, which provide a way to enhance the security of your site by instructing the browser how to behave when handling your site's content. This can help to prevent attacks like cross-site scripting (XSS) and clickjacking.

Auth options: SSO, Basic Auth, and Dev Tokens

Zesty.io provides several authentication options, including Single Sign-On (SSO), Basic Authentication, and Developer Tokens. SSO allows users to log in once and gain access to multiple systems without being prompted to log in again. Basic Auth provides a simple challenge-and-response mechanism, and Developer Tokens allow secure API access.

Telemetry and Audit Logs

Telemetry and Audit Logs allow you to keep track of actions taken in your Zesty.io account. Audit logs provide a record of who did what and when, which is essential for troubleshooting, security investigations, and complying with regulatory requirements.

The security features of Zesty.io give you confidence in the integrity and safety of your data, allowing you to focus on creating excellent content. With its built-in protections and robust authentication options, Zesty.io is a secure choice for your content management needs.

Security Patching & Vulnerability Management

At Zesty.io, we employ a "Secure-by-Deployment" philosophy. Rather than manually applying patches to long-running servers, we utilize a containerized architecture on Google Cloud Platform (GCP) that treats infrastructure as immutable.

Underlying Host Security (Google Managed)
Since our platform runs on managed GCP services (such as Google App Engine and Cloud Run), the underlying physical hardware and host operating systems are managed by Google’s security teams.

  • Host Patching: Google automatically applies security patches to the underlying hypervisor and host OS.
  • Zero-Downtime Updates: These updates are performed using live migration technology, ensuring that the infrastructure supporting your website is patched against "Heartbleed" style vulnerabilities without any interruption to your service.

Application & OS Layer Patching (Zesty.io Managed)
For the software layers we control (the container OS and application dependencies), we do not follow a fixed weekly or monthly schedule. Instead, we patch continuously through our CI/CD pipeline.

  • Deployment-Triggered Patching: Every time we deploy code—which can happen multiple times per day—our build system pulls the latest, hardened base images. This means that every deployment effectively "repaves" our environment with the most recent security updates available.
  • Ad-Hoc Vulnerability Response: If a critical vulnerability (CVE) is announced, our team triggers an immediate rebuild and redeployment of all affected services. This allows us to roll out patches across our entire fleet in hours, rather than waiting for a scheduled maintenance window.
  • Minimal Surface Area: Our containers use "distroless" or minimal base images (like Container-Optimized OS), which remove unnecessary tools (like SSH or shells), significantly reducing the potential attack surface.

Updated 11 days ago