GitHub Get started
SECURITY Honest answers, not a marketing page

Security, built into the design.

Devani inherits a lot of its security posture from being small, open-source, and self-hosted. There's no central server we can lose, no plugin marketplace shipping mystery code, and no third-party scripts you didn't ask for.

What we do well

Security by reduction.

Most CMS security problems come from things Devani doesn't have. That's not an accident — it's the design.

No plugin marketplace

The biggest CMS attack surface — third-party plugins from unknown authors — doesn't exist here. There's nothing to misconfigure or trust by accident.

Static output

Public pages are rendered to static HTML. No live PHP, no SQL queries per request, no admin endpoints exposed to crawlers.

Automatic snapshots

Every change snapshot, 30-day rollback. If you ever get hit by a bad edit or a compromised account, you can revert the whole site in seconds.

Open source

The code is public. You can audit it, fork it, run your own build. If a CVE is found, it's found in the open — not buried in a vendor's incident-response process.

What you handle

The parts that aren't ours.

Devani is self-hosted. That means some pieces of the security picture are your responsibility, not ours. Here's the honest breakdown.

  • SSL / HTTPS. Handled by your hosting (Vercel, Fly, Cloudflare, Nginx + Let's Encrypt). Most modern hosts do this automatically.
  • Server hardening. Firewall rules, SSH keys, OS patches — your platform's job. If you use a managed host like Vercel or Fly, mostly handled for you.
  • Uptime. If your hosting goes down, your site goes down. Devani sites are static, so even on basic hosting they tend to stay up well.
  • Admin access. You set the password. We recommend a long passphrase and a hardware security key if you're protecting client work.
  • Updates. Devani updates are opt-in. We'll tell you when one's out and what it changes; you decide when to install it.
Reporting a vulnerability

Found something? Tell us.

If you find a security issue in Devani, please open a private security advisory on GitHub or email security@devani.io. We respond to every report. We don't run a bug-bounty program yet — but we credit reporters in release notes when they want to be named.

Less surface, fewer problems.

A simpler stack is a more secure stack. Devani is built on that principle from the ground up.

Self-host guide →