Would [security] also be an issue with a static website? I only have a vague notion of how website hacking works but I would think that if all a server does is output a fixed set of html pages, it's impossible to "get in".
Setting up a website - ERE style
-
- Site Admin
- Posts: 16102
- Joined: Fri Jun 28, 2013 8:38 pm
- Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 77
- Contact:
Re: Setting up a website - ERE style
Re: Setting up a website - ERE style
It's not impossible, just harder (the attack vector is smaller). Since there's no software that you wrote on your own, there won't be any vulnerabilities there - but there are still vulns in operating system and standard software that you use (ssh daemon, apache web server etc.). Installing a security-minded Linux distribution (one with most services are turned off by default, so that the attack vector is smaller), configuring the firewall properly and then keeping the software up to date should minimize the risk to the point where I wouldn't worry about it though.
Re: Setting up a website - ERE style
It might not be very ERE, but for static sites you can often use a cloud provider's managed service, which abstracts away the server the site is hosted on. You will only have access to upload the site's composite files, typically using SFTP. Your site will be isolated from any others, so the worst that could happen is an attacker hijacks your site to serve other content. This route only makes sense if you trust that "they" know better regarding security than you.
Re: Setting up a website - ERE style
Yes. The web server is still exposed to the Internet. The underlying applications remain at risk. As long as you accept communication, you can be compromised. The request for a web page is communication.
The degree of risk depends heavily on how the web server is hardened. A stock windows install offers much more exposure than a Linux distro purpose built to serve static html.
Freely available tools can automatically map websites, servers and networks. That map can be used to automatically attempt ever evolving libraries of know attacks. The tools are highly configurable, allowing rapid customization to the target's exposed surface. Learning the basics takes a few hours. This is very low hanging fruit.
In a professional environment, there's an ever evolving hardening policy. The organization constantly attacks itself. Some go so far as to implement an immutable infrastructure. The entire server environment is read only. If you want to change it, you have to rebuild and redeploy. This is facilitated by scripting tools and virtualization. Almost nobody is running at scale on bare hardware.
When you're interfacing with cloud infrastructure, you're jumping to the logical conclusion of those patterns. Abstract away and standardize the complexity. Scale makes for better security and stability than you could ever hope for personally.
Re: Setting up a website - ERE style
Containers probably offer the best combination of security and self-hosting, if wanting to avoid managed cloud services. They are easy to set up, secured by design, and you can run docker on quite minimal hardware with Linux. It also means you're not locked into a platform, because the container is deployable anywhere you can run docker.
Re: Setting up a website - ERE style
With GitHub Pages, that risk comes down to how well you can restrict write-access to the Git repository backing the Page. Using SSH keys (ed25519), a strong & unique password, and 2FA, you'll probably be fine.Scott 2 wrote: ↑Sun May 07, 2023 12:55 pmYes. The web server is still exposed to the Internet. The underlying applications remain at risk. As long as you accept communication, you can be compromised. The request for a web page is communication.
The degree of risk depends heavily on how the web server is hardened. A stock windows install offers much more exposure than a Linux distro purpose built to serve static html.
Re: Setting up a website - ERE style
Wait, are you recommending docker for a simple static web site? Docker is not free (it introduces extra abstractions to figure out and later deal with) and I can't see what it's adding on top of a bare metal box (e.g. Raspberry PI for minimal initial investment and ongoing costs).avalok wrote: ↑Sun May 07, 2023 5:02 pmContainers probably offer the best combination of security and self-hosting, if wanting to avoid managed cloud services. They are easy to set up, secured by design, and you can run docker on quite minimal hardware with Linux. It also means you're not locked into a platform, because the container is deployable anywhere you can run docker.
Re: Setting up a website - ERE style
I think it depends on the use case and the environment within which the site will be hosted. If the server will be used for other services, then it would be worthwhile isolating the site from the rest of the system. Docker can be used in this case to achieve something similar to a BSD jail. Any services running alongside the site cannot be affected by attacks to that site; server configurations can be made local to each service so that they do not conflict. In a way, this more easily allows you to make better use of a single piece of hardware.
I am also a fan of reproducible and declarative environments. The entire environment is defined in code; this means you can see what is required to run the site, and its configuration, in a single place; it also means that deploying to other hardware or locations is much more trivial.
It seems like unnecessary overhead, but I do think it can give you a lot of flexibility and maintainability.
I am also a fan of reproducible and declarative environments. The entire environment is defined in code; this means you can see what is required to run the site, and its configuration, in a single place; it also means that deploying to other hardware or locations is much more trivial.
It seems like unnecessary overhead, but I do think it can give you a lot of flexibility and maintainability.
Re: Setting up a website - ERE style
I simply hardcode my site with VS code as an editor....
But VS Code is too bloated for me, anyone have a better option that is more simple?
Then, I simply FTP my html pages up the webhost using FileZilla...
My main problem at this point is trying to devise a TEMPLATE system that stays consistent that I can keep re-using on my site.
Any ideas on this would be great....
But VS Code is too bloated for me, anyone have a better option that is more simple?
Then, I simply FTP my html pages up the webhost using FileZilla...
My main problem at this point is trying to devise a TEMPLATE system that stays consistent that I can keep re-using on my site.
Any ideas on this would be great....
Re: Setting up a website - ERE style
Vim is simple, but very powerful at the same time. It does come with a bit of a learning curve though.
No idea, sorry. The code I write is usually more backend...My main problem at this point is trying to devise a TEMPLATE system that stays consistent that I can keep re-using on my site.
-
- Posts: 424
- Joined: Tue Oct 15, 2019 3:13 pm
Re: Setting up a website - ERE style
@tylerrr, aren't you describing CSS? Maybe I've misunderstood the question.
-
- Site Admin
- Posts: 16102
- Joined: Fri Jun 28, 2013 8:38 pm
- Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 77
- Contact:
Re: Setting up a website - ERE style
I'm also a bit confused here as it seems like the answer is too obvious?! Make a CSS file and one or more template HTML files that you copy and write in your content. This is how things were done in the 1990s
Re: Setting up a website - ERE style
A content management system, like WordPress, is designed around solving this very problem. There's advantage of abstracting away various delivery problems - browsers, devices, accessibility, etc.
Re: Setting up a website - ERE style
HTML file + PHP file + CSS file + JavaScript file + SQL relational database (like PostgreSQL), on Visual Studio Code. If you wanna get fancy, React.JS. Spend 6 months to a year figuring that all out via TeamTreeHouse.com.
If you don't wanna learn any of that, Wordpress or Square.
If you don't wanna learn any of that, Wordpress or Square.
Re: Setting up a website - ERE style
Yes, I'm doing that currently....basuragomi wrote: ↑Wed May 31, 2023 10:37 am@tylerrr, aren't you describing CSS? Maybe I've misunderstood the question.
I have html files, a css file, some JS files for a few scripts that I wrote.
That's all.
But....I'm saying sometimes I'm running into problems where I need to update a Template and then I need to go BACK and correct all the old pages that I already published via FTP.
Anyone suggest a way of me making those changes automated where I can scan all my old files and make the edits quickly?
I'm sure there is a way with JavaScript somehow.
Also, I'm open to anyone's suggestion on absolute MINIMALIST template tags they would use on a MINIMALIST web page/site.
I love the thought of simplifying the web site process even more without using CMS like WP, etc.
Questions:
1. what FTP do you like besides FileZilla that is simple and fast?
2. What's your suggestion on Template tags for a web page that you think suffices for all needed.
<html>
<head>
<meta description>
<title>
<h1>
<h2>
<p>
<script>
3. What editor would you use to spellcheck your content and Tags before you hit the publish button?
4. Anything else that comes to mind?
-
- Site Admin
- Posts: 16102
- Joined: Fri Jun 28, 2013 8:38 pm
- Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 77
- Contact:
Re: Setting up a website - ERE style
How big a site are we talking about?
Back in prehistoric times, awk and perl were popular choices for automagic line editing. If we're talking less than 10 pages, just edit them manually. Emacs made such a cut&paste job fairly easy. Another way would be to assemble the actual HTML out of header and footer files or even more different kinds of files and assemble them with something like cat header.html blog1.html footer.html >blogpost1.html and so on; using make to "recompile" the entire site.
But it sounds like you're on a point/click/drag windows system, so I don't know ...
Re: Setting up a website - ERE style
thanks everyone for the suggestions.
Yes, I use sftp.
Yeah, a compare tool like that might work if I can quickly select new files on the right side to compare to my "good template" on the left side.
Then, I could just flip through all the pages on the site.
Not a big site yet...
Yes, right now I'm actually using JavaScript to spit out the footer on each page so it's always the same footer(I'm not sure if this is best practice to use JavaScript for something like this...).
But yes, I think you're saying I could kind of do what WordPress does. Make a separate html template for each PART of a single web page.
Then, when I change one of the templates, it automatically changes that part of the Page on every page of the site.
Does anyone here know if I could accomplish those different page templates using only JavaScript or would I need to use PHP?
So grateful to find like minded souls on this stuff.
Yes, I use sftp.
Yeah, a compare tool like that might work if I can quickly select new files on the right side to compare to my "good template" on the left side.
Then, I could just flip through all the pages on the site.
Not a big site yet...
Yes, right now I'm actually using JavaScript to spit out the footer on each page so it's always the same footer(I'm not sure if this is best practice to use JavaScript for something like this...).
But yes, I think you're saying I could kind of do what WordPress does. Make a separate html template for each PART of a single web page.
Then, when I change one of the templates, it automatically changes that part of the Page on every page of the site.
Does anyone here know if I could accomplish those different page templates using only JavaScript or would I need to use PHP?
So grateful to find like minded souls on this stuff.