Safe and secure rich text editing
Trusted by 1.5M+ developers. Used in 100M+ apps. No matter the project, TinyMCE + React integrates seamlessly.
Ensure data security, availability and confidentiality
Trusted in over 100 million products spanning security-conscious industries such as finance, government, healthcare and education, TinyMCE is the only commercially available rich text editor backed by a SOC 2 Type 2 compliant entity.
Is security a concern for your
HTML text editor?
Cloud Security
"Tiny Cloud" is Tiny's Cloud-hosted version of TinyMCE, its features and its services. Users of Tiny Cloud access TinyMCE using a tiny.cloud URL containing their API Key. The following data are associated with an API Key:
- JWT Keys for Tiny Drive
- Custom dictionaries for Spell Checker
- Allowed domains
- A set of allowed features, depending on your subscription plan
Tiny Cloud is a multi-tenanted system comprised of the following components:
- Tiny Cloud Distribution
- Tiny Cloud Services
Tiny Cloud Distribution
This is a distribution frontend hosted by AWS CloudFront. It serves TinyMCE and associated script, style and image files. When serving TinyMCE, Tiny Cloud pre-configures TinyMCE to add the following:
- Metrics tracking
- Configuration for Tiny Cloud Services
Tiny Cloud Distribution restricts access based on:
- The API Key (part of the URL path)
- The features enabled on that API Key
- The HTTP Referer header
If you’re not entitled to a feature, requests to URLs which require that feature will either return a HTTP error code or a "dummy" version of the resource you requested. The dummy versions typically display an error message.
The HTTP Referer must match an Allowed Domain configured on your account. Allowed Domains can be configured via the Tiny Account website.
Browsers that do not send a HTTP Referer (such as Brave) are not compatible with Tiny Cloud Distribution.
Note: Tiny does not consider an API Key to be private or sensitive data.
Tiny Cloud Services
Tiny Cloud CDN
Tiny Cloud Services are Cloud-hosted server-side components used by TinyMCE. They're the Cloud equivalent of the Self-hosted services, and overlap in functionality.
- Metrics tracking
- Configuration for Tiny Cloud Services
Tiny Cloud Services restrict access based on:
- The API Key (part of the URL path)
- The features enabled on that API Key
- The HTTP Referer header
Cookies
TinyMCE, TinyMCE Premium Plugins, TinyMCE Server-Side Components and Tiny Drive do not make use of cookies.
TinyMCE's website https://www.tiny.cloud/ does use cookies for collecting marketing data.
For more information on security, visit the TinyMCE docs.
Self-Hosted Security
Security-sensitive customers (like those in regulated industries), may want to consider using TinyMCE Self-Hosted. This solution gives you full control over the hosting and data processed. Data processed using these systems is not sent to any servers that Tiny controls – you host the core editor and premium plugins on your own infrastructure.
Certain TinyMCE features/plugins may however access external services - a detailed list is available from your Account Manager. However, all of these features are able to be disabled, should they not fit within your risk profile.
The server-side components restrict access based on configurable CORS allowed origins, while some services additionally provide authentication based on JWT.
Cookies
TinyMCE, TinyMCE Premium Plugins, TinyMCE Server-Side Components and Tiny Drive do not make use of cookies.
TinyMCE's website https://www.tiny.cloud/ does use cookies for collecting marketing data.
For more information on security, visit the TinyMCE docs.
Scripts and XSS vulnerabilities
TinyMCE filters content such as scripts from the editor content, however, client-side applications can be by-passed by attackers. Tiny recommends processing received editor content through server-side filters.
SVGs (Scalable Vector Graphics) are not supported in TinyMCE to protect our users and their end-users. SVGs can be used to perform both client-side and server-side attacks.
TinyMCE can be used with a Content Security Policy (CSP) header.
From the 1st of January 2020, Security Advisories for patched XSS vulnerabilities will be published on the TinyMCE GitHub repository Security page. For more information on security, visit the TinyMCE docs.
Security Scanning, Testing and Reporting
TinyMCE uses industry-leading tools to scan code for problematic code patterns or known vulnerabilities from third parties. Dependencies are updated before the next version (major or minor) is released.
Tiny's products are predominantly written in statically-typed, memory-safe languages, which inherently reduces risk of runtime errors and vulnerabilities related to memory use.
Tiny values the work of security researchers in improving the security of technology products worldwide. We welcome researchers who wish to responsibly disclose vulnerabilities in our products or systems. Note that we do not offer any “bug bounty” program or any form of payment for disclosed vulnerabilities. If you would like to report a vulnerability, please email infosec@tiny.cloud
For more information on security, visit the TinyMCE docs.
FAQs
We maintain the following staffing and security process protocols:
- Dedicated InfoSec Team
- Continuous automated Codescans during development and post release
- Automated Static analysis code scans
- Peer code reviews
- Manual and automated QA assurance process
- Network of security researchers, developers and customers reporting security vulnerabilities
- Annual Pen tests conducted by an independent security firm
- Frequent patch releases and security updates
Please forward all security reports to infosec@tiny.cloud. The report should include a replication case so we can reproduce the vulnerability. This covers all security matters relating to Tiny's digital presence - including websites, blogs, product portals and all software products.
The Tiny InfoSec Team reviews all vulnerability reports sent to infosec@tiny.cloud. Once Tiny has completed its review and can replicate the issue, we will share a remediation response plan with you and discuss public disclosure time frames.
Tiny has a 90-day disclosure policy once a vulnerability has been verified. After a security patch has been released, Tiny will disclose the vulnerability through these public sources:
- Mitre CVE
- Github GHSA
- Product release notes
To further enhance security for customers integrating TinyMCE into their applications, we offer customizable security configuration options to suit different use cases. See our Security Guide documentation for details.