AtmaJyoti CMS technical specifications

// single-file · zero-dependency · self-hosted

One file. Zero dependencies. Full control.

AtmaJyoti CMS is an entire content management and security system inside a single server.js — no npm packages, no database, no build step. It runs on Node.js over Windows / IIS / Plesk and is readable end to end.

1
server.js file
0
npm dependencies
230+
automated tests
JSON
flat-file storage
01

Architecture with no attack surface

Every line is yours. Nothing comes from third parties.

connection-rate limitersliding window per IP · 429 on flood
auto-ban + geo-blockfail2ban-style · by country
CSRF + session guardconstant-time · HttpOnly · SameSite
router → server.jsflat-file JSON · in-memory index
content + admin UIpages · blog · events · newsletter
zero supply-chain risk

Zero npm dependencies

No third-party library means no supply-chain gap — the problem that has hit thousands of Node projects. Whatever runs, you can see it.

npm ls → (empty)
auditable

One readable file

The entire system lives in one server.js. You need no tools, bundlers or framework knowledge to review or change it.

1 file · fully auditable
no database

Flat-file JSON storage

Data in plain JSON files. Backup = folder copy. No SQL injection surface, no database service to maintain.

data/*.json + in-memory index
tested

230+ tests, zero dependencies

The test suite runs on the built-in node:test — no Jest, no Mocha. Every build passes all of them before it ships.

node test.js → all pass / 0 fail
02

Enterprise-grade security stack

Tested in production against constant attacks.

[✓]
Geo-IP country blockingBlock by country, with a separate list for the admin.
[✓]
Auto-ban (fail2ban-style)Offense accumulation → automatic ban + email alert.
[✓]
Connection-rate limitingSliding window per IP; instant 429 on flood/DoS.
[✓]
Brute-force lockout + honeypotLockout after X failures, with a bot trap.
[✓]
CSRF on every admin POSTPer-session token with constant-time comparison.
[✓]
scrypt password hashingN=16384 · constant-time verify.
[✓]
Login alerts (success & fail)Email with user, time, IP, country — instant detection.
[✓]
Security dashboard + logsThreat summary by country, filterable events.
[✓]
Path-traversal & zip-slip guardsChecks on pages, uploads, static, backup restore.
[✓]
Upload triple-validationExtension whitelist + magic bytes + size limit.

"It's no longer just a flat-file CMS. The security & operations layer — geo-blocking, auto-ban, rate limiting, dashboards — is the kind of capability you usually find in managed enterprise platforms."

// technical architecture review
03

Built for real deployment

Windows / IIS / Plesk — production, not theory.

iisnode-ready

Windows / IIS / Plesk

Runs native via iisnode with a ready, tested web.config — request filtering, HTTPS detection, separate log directories.

web.config · hardened variant
resilient

Resilient in operation

Schedulers with retry/backoff, exception handlers, health checks — one error won't take the site down. Correct HEAD handling for uptime monitors.

graceful degradation
recoverable

Recycle Bin, 10 types

Pages (with full version history), posts, events, to-dos, subscribers, FAQ, polls, forms, PDF, media — soft-delete with restore.

restore + 60-day auto-purge
self-contained

Backup = copy

With no database, a backup is a simple folder copy. Move to a new server without migrations, without dumps.

copy data/ → done