Every description of the JAMstack seems to mention "security" as benefit, e.g.:
The static nature of a JAMstack app makes scaling easy, and causes little to no dev-ops overhead. The JAMstack approach can also improve your app's security posture since static sites generally have a small attack vector.
https://www.contentful.com/r/knowledgebase/jamstack-cms/
delivers better performance, higher security, lower cost of scaling, and a better developer experience.
I really don't understand what's "more secure" about it. All I am seeing are quotes like this:
developers could leverage the expertise of third-party services to enhance the security features of your website/app
So, in short, is the only "security" here coming from the fact that Auth0, Octa, or whoever else is supposed to be good at security because it's their focus? Or am I missing something?
Edit, found one more quote:
With no databases, plugins, or dynamic software running on your server, the potential for code injection and hacks is reduced enormously. When your website is a collection of static files, all dynamic functions are instead handled with APIs and client-side JavaScript, negating the need to rely on CMS plugins. While it’s entirely possible that an external API handling persistent data may expose a vulnerability, eliminating your CMS removes numerous points of failure and attack vectors. For static blogs, it’s not a stretch to say that security essentially becomes a non-issue, at least when compared to a typical WordPress installation.
https://builtvisible.com/go-static-try-jamstack/
So, it seems like most of the "security" is just not having wordpress?
Yes, that basically it.
Having "no wordpress" means:
It dramatically narrows down the attack surface.