Cybrove
CMS Security

Is Sanity Secure? Security Features, Risks, and Hardening

Yes, Sanity is generally secure when configured correctly. Here is what you need to know about its built-in protections, common vulnerabilities, and how to harden it for production.

Built-in Security Features

Hosted content lake with enterprise-grade infrastructure
Separate read and write API tokens with granular permissions
CDN-cached API responses with edge-level caching
Built-in image pipeline prevents malicious file uploads
GROQ query language with no direct database access

Common Vulnerabilities

Exposed write tokens in client-side code allowing content modification
GROQ injection through unsanitized user input in queries
Overly permissive dataset visibility (public vs private)
Unauthorized access through misconfigured CORS origins

Hardening Checklist

1Use read-only tokens in client-side applications
2Set datasets to private and use authenticated queries
3Configure CORS origins to only allow your domains
4Sanitize user input before including in GROQ queries
5Enable SSO for Sanity Studio access
6Use viewer tokens with minimum required permissions
7Implement webhook secrets for secure content sync
8Audit project members and token usage regularly
Official Sanity security documentation

Frequently Asked Questions

Is Sanity secure?

Yes, Sanity is generally secure when configured correctly. It includes built-in protections like hosted content lake with enterprise-grade infrastructure. However, common misconfigurations and development patterns can introduce vulnerabilities.

What are the main security risks with Sanity?

The most common Sanity security risks include exposed write tokens in client-side code allowing content modification, groq injection through unsanitized user input in queries, overly permissive dataset visibility (public vs private).

How do I harden Sanity for production?

Key hardening steps: Use read-only tokens in client-side applications. Set datasets to private and use authenticated queries. Configure CORS origins to only allow your domains. Run a security check on your domain to identify specific issues.

Check if your Sanity application has these vulnerabilities

Free security check — SSL, headers, DNS, email authentication, and more. No signup required.

Free Security Check