Security
How Wagtail helps you secure your content
With built-in security features, enterprise-level permissions, and regular security releases, Wagtail is a CMS for organizations that want strong security for their content.
-
Enterprise permissions included
Whether your content team is small or large, the permissions system in Wagtail makes it easy to create groups with access restricted to particular pages or parts of the Wagtail admin. Plus, there are no extra packages or fees for this feature. All permissions features are available right away.
-
Private pages
Have content that needs a little extra security? You can publish pages in Wagtail that only specific groups and users can access. You can even add a password if you like.
-
Page locks to control editing
With page locks, you don't have to worry about other people changing your content by accident or without permission. When you lock your content, only you and administrators can make changes.
-
Secure package installation
With Wagtail, you don't have to worry about users installing packages or add-ons that could introduce security risks. Packages can only be installed by people who have access to your Wagtail code, which also reduces the chance of users creating conflicts or other major errors.
-
Extendable authentication to meet your standards
Need two-factor authentication or single sign-on? You can add those features to Wagtail. And if you have other authetication services you want to integrate, Wagtail doesn't get in the way of you securing Wagtail the way you want to.
-
Wagtail provides a Software Bill of Materials (SBOM)
An SBOM is an inventory of all the dependencies that go into a particular piece of software. You can have a look at the SBOM for Wagtail on GitHub.
Why people feel safe with Wagtail
I have no worries with Wagtail, whereas with any given Wordpress site there are at least 20 different plug-ins that could suddenly become de-supported or a security problem.
"Wagtail gives us the multilingual capabilities and security we need, while being intuitive enough for our team to manage quickly during emergencies. It's the platform that allows us to act without delay."
Wagtail has a robust security foundation
Wagtail is built on top of a security-minded web framework called Django. Here are just some of the security features that Wagtail gets from choosing to use Django at our core:
-
Built-in protection from common attacks
Thanks to Django, you can more easily protect your Wagtail projects from common web attacks like cross site scripting (XSS), cross site request forgery (CSRF), and clickjacking.
-
Make your database a harder target
The queryset features in Wagtail and Django make it harder for hackers to use SQL injection to target your database through forms and other user inputs.
-
Strong support for security headers
Django and Wagtail provide a strong baseline for security headers like HTTP Strict Transport Security (HSTS) and content security policies (CSP), among others, to help you protect your site from malicious code.
-
Strives to prevent the OWASP Top 10
Both Django and Wagtail aim to make in harder for malicious users to commit the top 10 most common attacks identified by OWASP. There is even a cheatsheet that can help you head off a lot of those attack avenues.
-
Added protections for development
Django and Wagtail use a secret key to restrict access to debugging mode and prevent outsiders from learning vulnerable information about your project. The settings structure also makes it easy for you to maintain separate settings for different environments.
Security procedures you can count on
How we handle Wagtail security issues
The Wagtail security team has standard procedures for reviewing reported security issues and notifying users to prevent bad actors from exploiting bugs. When there is confirmed security issue, we put out security releases in a timely manner and issue advisories to encourage everyone to install the patches.