javascript - 是什么让 JAMStack 安全？

Question

JAMstack 的每一个描述似乎都提到“安全”作为好处，例如:

The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.

https://www.contentful.com/r/knowledgebase/jamstack-cms/

delivers better performance, higher security, lower cost of scaling, and a better developer experience.

https://jamstack.org/

我真的不明白什么是“更安全”。我所看到的都是这样的引用:

developers could leverage the expertise of third-party services to enhance the security features of your website/app

因此，简而言之，这里唯一的“安全性”来自于 Auth0、Octa 或任何其他应该擅长安全性的人，因为它他们的焦点是什么？或者我错过了什么？

编辑，又发现了一句引言:

With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.

https://builtvisible.com/go-static-try-jamstack/

所以，看起来大部分“安全”只是没有 WordPress？

Answer 1

是的，基本上就是这样。

“没有 wordpress”意味着:

• 否 Wordpress , Drupal , Jumla , MySQL等等...
• 如果您不使用第 3 方 CDN，网络服务器端( IIS 、 Apache 、 Nginx )可能仍然在这里，但更容易更新和缓解，因为它只提供静态文件，无需管理 php\python\复杂的 cgi 插件和依赖项。
• 没有存储的 XSS，只有 reflected .

它极大地缩小了攻击面。