Built with Chinaski

Security

Secure because there's so little to attack

The most secure production server is one that runs no code. Chinaski publishes static HTML, so your live site has no application layer, no database, and almost no attack surface.

View on GitHub

Why it's safe by design

No application layer in production

The live site is flat HTML served by nginx. There is no Perl process running at request time, no database accepting queries, and no user input being evaluated. The attack surface is the file server itself.

Admin is air-gapped from public

The admin interface runs on a separate port that is never exposed to the internet. Content is authored privately, built into static files, and synced to the public server. The two never share a process.

No JavaScript in public output

Static pages contain no JavaScript by default. No third-party scripts, no tracking pixels, no client-side code that can be injected or compromised. XSS via the output layer is structurally impossible.

Security details

Content Security Policy

Because the public output is static HTML with no inline JavaScript, you can deploy a strict Content-Security-Policy header with no exceptions. Chinaski's output is compatible with CSP levels that most dynamic CMSes cannot meet.

SQL injection surface

The admin uses parameterised queries throughout. The production site has no database at all. There is no SQL injection surface on the live site because there is no SQL.

File upload security

Media uploads are stored on the admin host and validated by MIME type before storage. The public static site references media by URL — files are not present on the production server unless explicitly included in the build output.

Dependency audit

Nine dependencies in Debian stable means security patches come through apt upgrade. There is no npm audit to run, no bundled JavaScript to scan, and no transitive dependency graph to worry about.

Air-gapped deployments

Chinaski can build a complete static site on a machine with no internet access. The build reads from the local SQLite database and writes to a local directory. No external API calls, no CDN dependencies, no telemetry.

Read the security model

Complete setup, theming, and API documentation lives at docs.chinaski.net.

Read the documentation