Skip to content
JDesk
Concepts

Security model

Why JDesk enforces its trust boundary in Java.

The single trust boundary is the Java-side check on every invoke — the frontend is never trusted to enforce anything.

  • Deny by default — every command is classified at compile time; the capability engine evaluates before your code runs.
  • Origin & navigation locking — production navigation is restricted to the app origin; popups are denied.
  • Strict CSP — inline scripts and eval are blocked.
  • Asset path-traversal defenses — paths are rejected, not repaired.
  • Error redaction — handler exceptions become INTERNAL_ERROR; detail stays in Java logs.