How secure is Ghost?

I understand that the toggle to make your website private is not intended to provide the security of Fort Knox, but how secure is it? Compared to, say, news websites that have paywalls which are sometimes easy to circumvent?

Additionally, how secure is access to members-only posts?

Can anybody speak about how this works in the back-end and what kinds of security measures are used?

I’m not particularly worried about this for my own website (people can read my terrible poetry if they like) but I would like to know more about this in case I make a website for somebody else and they ask.

Final question, on a related topic, is there some way to modify the html/css of the login page when your website is set to private? I’m not referring to the login page for the admin dashboard.

Not sure about how secure it is, but you can modify it by creating your own private.hbs template.

1 Like

As secure as possible. Ghost puts the protection at the server level, not the frontend (unlike cough cough some other sites). So it doesn’t matter what theme you have or custom changes. A private post will only be exposed through the API to a logged in member. More official details - Is it possible to get around the login system using incognito mode, or disabling JavaScript?

This page has some good details overall. I’m sure token scheme for 3rd parties and logged in users probably have an active secure session.

Yes. You can use the #has helper in the theme to show/hide things based on private flags. You could also just change nearly anything since themes control the frontend.