Enterprise Security — Included Free
Crypto audit logs, SAML 2.0, SCIM 2.0, and FLAC — all included at no cost. Competitors charge thousands per year.
What's Included (Free)
SHA-256 Chained Audit Logs
Every mutation is cryptographically chained. Tamper-evident, SOC 2 and GDPR compliant. Hashing is offloaded to Worker Threads — no main event loop impact.
Field-Level Access Control (FLAC)
Physically strips unauthorised fields from API responses at the database adapter level. Not just hidden in the UI — genuinely absent from the response.
SAML 2.0 Enterprise SSO
Connect Okta, Azure AD, and Google Workspace via BoxyHQ Jackson Hub. JIT provisioning included. No enterprise tier required.
SCIM 2.0 Provisioning
RFC 7644 compliant automated user lifecycle management. Create, update, and deactivate users from your IdP automatically.
Fail-Closed API Dispatcher
All 40+ API endpoints must be explicitly registered. Unmapped routes are denied by default — zero Shadow API vulnerabilities.
Self-Healing Load Shedding
At 90% heap pressure, mutation traffic is automatically rejected with a compressed 503 — read availability is always protected.
What Competitors Charge Extra For
Strapi and Payload require enterprise plans ($10k+/year) for features SveltyCMS includes free.
| Feature | SveltyCMS | Strapi | Payload | Directus |
|---|---|---|---|---|
| Crypto Audit Logs | ✅ Free | Enterprise Plan | Enterprise Plan | Enterprise Plan |
| SAML 2.0 SSO | ✅ Free | Enterprise Plan | Enterprise Plan | Enterprise Plan |
| SCIM 2.0 Provisioning | ✅ Free | Enterprise Plan | ❌ None | ❌ None |
| Field-Level Access Control | ✅ Free | Enterprise Plan | Partial | Enterprise Plan |
Why This Matters: The CVE Record
In 2026, Directus published multiple critical CVEs (user enumeration, GraphQL DoS). Payload had XSS and SSRF vulnerabilities. SveltyCMS has a fail-closed architecture that prevents entire classes of vulnerabilities.
Directus 2026 CVEs
User enumeration, GraphQL DoS attacks, controversial license changes
Payload 2026
XSS vulnerabilities, SSRF issues — security is an ongoing battle
SveltyCMS: Fail-Closed Architecture
Entire classes of vulnerabilities are prevented by design — not patched reactively