In 2024, one of the most widespread and insidious web supply chain attacks in recent memory was discovered—Polyfill.io, a widely used JavaScript CDN, was compromised. What once was a trusted tool used to provide cross-browser compatibility for millions of websites became a vector for malicious code. After its domain changed hands, attackers began silently injecting obfuscated JavaScript into websites across finance, healthcare, retail, and government sectors. These scripts were designed to exfiltrate data, inject fake forms, and in some cases redirect users to phishing sites—without site owners knowing a thing.
The Polyfill.io incident wasn’t a fluke. It was a reminder that the modern web is fragile. When your CMS references or integrates with untrusted libraries, your entire platform—and your users—are exposed. For dotCMS, this was a wake-up call not just for our product, but for our broader ecosystem. And it reaffirmed why we’ve built security into every layer of what we do.
We Power Critical Infrastructure
dotCMS is not just a tool for content creators. It is often the engine behind critical infrastructure—public sector portals, banking platforms, healthcare applications, and high-traffic customer support sites. Our customers trust us not just to manage digital content, but to uphold the integrity of their brand and protect their user data. That means if there’s a security breach on our platform, the consequences are not abstract—they’re operational and reputational. We take that responsibility seriously. That’s why our engineering and cloud teams are trained to think adversarially, testing the system as attackers would and hardening every endpoint before it reaches production.
CMS Platforms Are High-Value Targets
CMS platforms are a natural target for attackers. They often sit at the intersection of multiple systems: CRM, DAM, analytics, authentication, and sometimes even direct access to payment systems or sensitive PII. A single vulnerability in a plugin, admin console, or exposed API can give attackers an entry point to everything else. At dotCMS, we’ve designed our platform with this threat model in mind. We enforce strict access controls, rate limit public APIs, and secure user sessions with modern authentication protocols like OAuth2 and JWT. Every user action, API request, and system configuration is logged and traceable. Because the moment a CMS becomes a blind spot, it becomes a liability.
dotCLI: Automation Without Compromise
Automation is essential to modern DevOps workflows, but it can also introduce risks if done improperly. With dotCLI, our secure command-line interface, we’ve ensured that teams can safely interact with dotCMS programmatically. It respects role-based access control, uses secure API tokens, and logs every interaction. This gives teams the ability to manage deployments, content updates, and configuration changes through CI/CD pipelines without compromising visibility or control. Unlike ad-hoc scripts or unverified plugin tools, dotCLI is purpose-built with security as a first-class concern.
dotAI: Responsible AI, Not Reckless AI
We’ve also integrated AI into our content workflows, but we’ve done so with caution and accountability. dotAI empowers teams to streamline content creation and management using AI—but only within clearly defined guardrails. Sensitive customer data is never exposed to external models without explicit consent. Prompt context is sandboxed. AI-generated content is tagged and logged. In an era where AI can be a vector for data leakage and misinformation, dotCMS treats AI as an enhancement to the platform, not an uncontrolled experiment. We prioritize accuracy, compliance, and control above novelty.
We Build for Compliance and Audit Readiness
Security is meaningless without evidence. That’s why dotCMS aligns with some of the most rigorous industry standards, including SOC 2 Type II, ISO/IEC 27001:2022, and TX-RAMP certification. Our security program is built around the principles of least privilege, continuous monitoring, and defense in depth. We maintain internal controls mapped to NIST 800-53, and we support our customers with all the documentation and attestations they need for their own compliance initiatives. Our cloud infrastructure is encrypted, segmented, and monitored 24/7. Patch management, dependency scanning, and change management are all automated through secure DevSecOps pipelines. Security isn’t a project—it’s part of our release process.
We Learn, Adapt, and Respond
When the Polyfill.io attack was disclosed, we didn’t wait. Our teams immediately scanned customer projects for references to the compromised domain. We issued public guidance on how to audit and remove vulnerable dependencies, and we provided SBOMs to help customers proactively assess their environments. This is how we operate. Our security team runs regular internal and external penetration tests, continuously reviews CVE disclosures, and integrates security scanning into every phase of our build process. When incidents occur anywhere in the ecosystem, we respond as if it were our own platform under attack—because in a connected web, the distinction no longer matters.
Security Is a Shared Responsibility—But It Starts With Us
While customers are responsible for securing their content, users, and custom code, we take responsibility for the integrity of the platform. That includes everything from secure defaults to detailed audit logs, hardened configurations, and strong authentication practices. We work closely with customers to implement best practices around content security policies, web application firewalls, and custom plugin reviews. We believe in transparency, and we support customers through security reviews, vendor risk assessments, and compliance questionnaires without hesitation.
Message from our Security Team
At dotCMS, security is not a feature or an afterthought—it’s the foundation. It informs how we write code, how we run infrastructure, how we build tools like dotCLI and dotAI, and how we support customers in high-risk environments.
“When customers choose dotCMS, they are trusting us with their most valuable digital assets. That trust must be earned every day—with rigor, discipline, and transparency.” said Mehdi Karimi, PhD, director of cyber security at dotCMS. In a world where a compromised CDN can take down half the internet, we believe the CMS should be the most secure part of your stack—not the weakest link.
If you’re evaluating dotCMS and want to review our latest SOC 2 report, ISO certification, or Software Bill of Materials (SBOM), we encourage you to reach out. Security isn’t just something we talk about—it’s something we prove.
🔒 Visit: https://security.dotcms.com/