Reduce Security Risk and Maintain Content Privacy
Our rich text editor meets leading standards for data security, availability, and confidentiality, with cloud and self-hosted options.
Rest assured that our infrastructure and processes meet stringent standards for data security, availability, and confidentiality. Our secure environment protects against unauthorized access and data breaches, providing a trustworthy rich text editing solution. Learn more.
We ensure that all personal data is processed securely and transparently, in compliance with European data protection regulations.
CKEditor Cloud Services are hosted on AWS and feature multi-layered security measures, data encryption, and automatic failover. With end-to-end encryption and regular backups, we safeguard your data during transfer and at rest.
Hosted on AWS in the US East (Northern Virginia) region (EU hosting coming soon)
Deployed on multiple servers across at least two availability zones
99.99% SLA on infrastructure
We follow a secure Software Development Life Cycle (S-SDLC), embracing security as part of the process and at every stage of development. For self-hosted setups, CKEditor allows you to meet the highest security standards and have full control over your infrastructure and data protection.
We go beyond compliance with measures like mitigating cross-site scripting (XSS) attacks with Content Security Policy (CSP), using SSL/TLS for secure communications, and performing regular vulnerability scans. These extra steps create a secure environment for content creation and collaboration.
All data is encrypted using AES-256 at rest, and TLS 1.2+ encryption is enforced for all communications in transit. Each customer’s data is protected with unique private keys, providing data isolation and offering maximum security for all content and communication.
Uses HTTPS/WSS with TLS 1.2+ for secure communication
Operates over the standard TCP port (443)
Implement granular permission settings, such as read-only or comments-only access, and role-based controls. This allows precise management of who can view, edit, or comment on your content.
We employ automated monitoring, regular security audits, and penetration testing to identify and mitigate potential threats. Our 24/7 system monitoring makes certain that any vulnerabilities are quickly addressed.
24/7 system monitoring with real-time user simulations
Logs kept for 1 month, sensitive data redacted
Regular performance and security testing
CKEditor Cloud Services include automatic backups with point-in-time recovery. Data is replicated across multiple locations, offering continuity and data integrity even in the event of a disaster.
Databases replicated in two locations for automatic failover
Automatic point-in-time backups for the last 7 days
Frequently asked questions
Security-sensitive customers (like those in regulated industries) may want to consider using CKEditor Self-Hosted. This solution gives you full control over hosting and data processing. Data processed using these systems is not sent to any servers that CKSource controls—you host the core editor and premium plugins on your infrastructure.
Certain CKEditor features/plugins may however access external services - a detailed list is available from your Account Manager. However, all of these features are able to be disabled, should they not fit within your risk profile.
Whenever applicable, the server-side components provide authentication based on JWT.
For security-sensitive customers, CKEditor Self-Hosted Security solutions comply with GDPR, giving you full control over data processed on your infrastructure without it being sent to CKSource’s servers.
In the default configuration, CKEditor filters out scripts from the editor content and prevents the execution of scripts in expected markup. However, attackers can bypass every client-side application. Therefore, we strongly recommend processing received editor content through server-side filters.
CKEditor supports Content Security Policy (CSP) to limit resource loading. For recommendations on the strictest CSP configuration go to the Content Security Policy guide.
CKEditor's modern architecture, which uses a custom data model and conversion pipelines, ensures that by default only content intended to be accepted can appear in the editing area, further limiting the chance for potential XSS vulnerabilities.
For a full list of Security Advisories for patched XSS vulnerabilities, go to the CKEditor GitHub repository's Security Advisories section.
Each customer’s data is encrypted with unique private keys to ensure isolation and prevent cross-access.
CKEditor’s architecture includes automatic failover to backup instances in different availability zones for service continuity. That being said, CKEditor Cloud Services have several practices in place to provide high availability and resilience. Visit the Security and Privacy overview article in the documentation for a detailed list of implemented practices.
Employee access is strictly limited to individuals who need it for system maintenance, limiting exposure to sensitive information.
CKEditor offers extensive customization for security settings, including CSP, access controls, and encryption options to fit your security posture.
We maintain the following staffing and security process protocols:
Dedicated InfoSec Team
Continuous automated Codescans during development and post-release
Automated Static analysis code scans
Peer code reviews
Manual and automated QA assurance process
Network of security researchers, developers, and customers reporting security vulnerabilities
Annual pen tests conducted by an independent security firm
Frequent patch releases and security updates
GDPR compliance in data security and processing practices.
CKSource has a 90-day disclosure policy once a vulnerability has been verified. After a security patch has been released, CKSource will disclose the vulnerability through these public sources:
Mitre CVE
Github GHSA
Product release notes
Please send all security reports to security@ckeditor.com. Include detailed steps to replicate the vulnerability. This applies to all CKEditor digital assets, including websites, blogs, and software products.
Our InfoSec team will review your report and, once the issue is verified, provide a remediation plan. We will also discuss the timeline for public disclosure.