By Andrew

.

JAMstack

Security

Are JAMstack sites affected by the Log4Shell vulnerability

Log4Shell and the JAMstack

What is Log4Shell

Log4Shell is a newly discovered vulnerability in the logging software of everybody’s favourite open-source server software, Apache. If you didn’t already know it, Apache runs everything! So a lot of small WordPress websites will be running on Apache. The first WordPress sites that I built were on Apache, and as I was teaching myself backend development, the only servers I deployed were Apache.

JAMstack websites have no servers

As some of you may know, we started as a WordPress development shop and have, over the last 18 months, transitioned to the JAMstack. One of the main reasons for the pivot is security. A JAMstack website is just a collection of files served on a CDN; there are no databases. I think Netlify sums it up best themselves:

A core principle of the Jamstack is that it doesn’t depend on a “webserver.” Now, clearly, there is still a web server replying to HTTP requests, but the CDN/ADN at Netlify only serves static files. What isn’t happening is that a web application, in real-time as the HTTP request is received, dynamically generates a unique version of a web page on the fly using a programming language of some kind. With a Jamstack site, there is no application server or language runtime (meaning no node.js, Ruby, PHP, Python, etc.).

Conclusions

While it’s still early days, the wide-reaching nature of this vulnerability means that your sites indeed are safer on the JAMstack. Although we are moving all our sites to the JAMstack, news of this vulnerability will serve to hasten the process. We feel that we offer a far more secure alternative to WordPress, so why not check out the services we offer.