- check No server
- check No database
- check No CMS or plugins
- check No login endpoint
There is nothing to breach.
Most platforms try to secure a fundamentally vulnerable architecture. We removed the architecture. A Nitrosite is a set of static files served from read-only storage behind a content delivery network. There is no server to compromise, no database to exfiltrate, and no admin panel to brute-force. The attack surface is not small. It is absent.
Security through elimination.
The conventional approach treats security as an arms race: a vulnerability is discovered, a patch is deployed, and everyone hopes the next one is found before an attacker finds it first. We decline to play that game. Each Nitrosite is pre-built into flat files and published to a read-only object store, then served to the world through an edge firewall and a global cache. The visitor receives static documents and nothing more.
The same discipline runs deeper than hosting. Before a single page is designed, NitroCMS unifies five data sources and hands them to our analysis engine for synthesis. The site is the product of evidence, not improvisation, and its security is a property of the architecture rather than a feature bolted on afterward.
We do not patch vulnerabilities. We prevent them from existing.
When the component that creates an entire class of attack is removed, the attack disappears with it. Eight of the ten OWASP categories are addressed by architecture alone.
| OWASP category | Why it does not apply | Status |
|---|---|---|
| Injection | No database to query means no query to inject. The entire class of SQL injection cannot occur. | Eliminated |
| Cross-site scripting | No dynamic rendering of user input on the server. Pages are pre-built and immutable, with security headers set at the edge. | Eliminated |
| Broken authentication | There is no login endpoint, no session, and no credential to steal. Nothing to authenticate, nothing to break. | Eliminated |
| Security misconfiguration | No server runtime to harden and no application stack to misconfigure. The surface a misconfiguration would expose does not exist. | Eliminated |
| Sensitive data exposure | No database holds client data on the website. TLS 1.3 is enforced on every request, with HTTPS and HSTS applied at the edge. | Eliminated |
| XML external entities | No server-side XML parser processes untrusted input. The component that the attack targets is not present. | Eliminated |
| Insecure deserialization | No server-side code deserializes data, because there is no server-side code at all. | Eliminated |
| Vulnerable components | No plugins and no third-party runtime means no supply-chain risk. The site depends on its own flat HTML, nothing else. | Eliminated |
OWASP categories addressed by architecture alone: eight of ten. The remaining two are matters of operational discipline rather than the application surface a static site exposes.
The standard law firm site versus a Nitrosite.
- cancel A database, open to injection
- cancel A server runtime, open to remote code execution
- cancel A public admin login, open to brute force
- cancel Dozens of plugins, each an unpatched risk
- cancel File upload endpoints, open to malware
- check_circle No database
- check_circle No server runtime
- check_circle No login endpoint
- check_circle No plugins
- check_circle Zero attack vectors
Every layer is protected anyway.
The architecture eliminates most threats by design. We add further layers on top, because confidentiality deserves more than a single line of defense.
- check Web application firewall with OWASP rule sets and rate limiting
- check Automatic DDoS detection and mitigation
- check Automated bot and scraper filtering
- check TLS 1.3 enforced on every request
- check Certificates auto-provisioned and auto-renewed
- check HTTPS redirect and HSTS headers enforced
- check Read-only object storage, no write access
- check Origin reachable only through the CDN, never directly
- check Security headers set at the edge
Why a law firm, in particular.
A law firm holds some of the most sensitive material on the internet: privileged communications, financial records, and the private circumstances clients disclose in confidence. That concentration of confidential information makes a firm a high-value target, and the duty to safeguard it is not merely good practice. It is an ethical obligation.
A compromised website is not only an embarrassment. It can become a matter of professional liability. The most reliable way to protect privileged data on a website is to build a website that holds none and exposes nothing.
The business case, plainly stated
- database No database means no client records to exfiltrate from the site, and no entire class of injection attack to defend.
- terminal No server code means no remote execution. You cannot run code on a server that does not exist.
- verified_user No plugins means no supply-chain risk. The site's security depends on its own flat HTML, and on nothing borrowed.
Verify it for yourself, then write to us.
View the source of any Constellate page. You will find no WordPress, no plugins, and no login. If client confidentiality is how you would like your website to be built, write to us. Four questions. We reply within two business days.