8. Settings
Settings allows specifying the operational values for a site.
Access△
This section contains flags for enabling extra access or other functionality.
# | Name | Description |
---|---|---|
1 | Accessibility | If turned on, the public site will show links as underlined and not justify text. A logged-in user can set their own accessibility preference on the Users page |
2 | 2-factor login | If turned on, after submitting a password, an email will be sent to the user's email with a link which when clicked will allow entry to the management pages, after which the resulting Close me browser page can be closed if it didn't close immediately. This ensures that someone logging in is likely to be the legitimate user. However, this process relies upon the user having the only access to their emails |
3 | Guest mode | If turned on, Guest users can be created to allow view-only access to almost all management pages for training or learning. Never turn on for a production site. If turned off, all current Guest users will be deleted |
4 | Strict Done | If turned on, hides the All done button in the Phase selection section of the History page to mitigate against releasing straight after some edits without thinking about what other edits for other locales might also be needed. Irrelevant if only one locale |
These are all turned off by default.
Values△
This section covers site-wide values used by Smallsite Design.
# | Name | Description |
---|---|---|
1 | Site ID | Short identifier used as the prefix for archive file names. This uses basic ASCII alphabetic characters so that it should display properly in all operating systems. When a site is created, this is set to sd for Smallsite Design |
2 | Site name | Site name that is appended to the hidden title tag of a page in a browser. The full text of that tag will usually be displayed in the browser tab for the page, and will be used by search engines for determining page ranking |
3 | Copyright owner | Name of the copyright holder for the site. It should be the legally registered name for a business, or an individual's full name. It appears in page footers |
4 | Registration name | Name of the type of registration for the next field. It is provided to show information like business registration numbers that may be legally required to be displayed. If this field is blank, no registration details will appear in page footers |
5 | Registration ID | Identifier or number for the type of registration in the previous field. If this field is blank, no registration details will appear in page footers |
6 | Guest password | If a Guest user with ID of gu is created, the password automatically generated will be shown here, and can displayed on a page using the Value element. Only shown in Guest mode |
# | Name | Example |
---|---|---|
1 | Site ID | sd as an identifier for Smallsite Design. Default for a new site, but needs changing as part of step 3 of Set up Smallsite Design |
2 | Site name | Smallsite Design |
3 | Copyright owner | Patanjali Sokaris or Company Pty Ltd |
4 | Registration name | ABN for Australian Business Number |
5 | Registration ID | 14 326 274 274 |
MIME types△
MIME types define how the web server processes files so that they display properly in a browser page.
Only change these if you really know what you are doing.
Incorrect settings may affect how some files are displayed and processed.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required, such as for new multimedia file formats. No entries are required for file types that will only be downloaded and not viewed in a browser or played.
The currently recommended extension=MIME type combinations that you can cut-and-paste from here are:
csv=text/csvepub=application/epub+zipflac=audio/flacgif=image/gifico=image/x-iconjpg=image/jpegm4a=audio/mp4mp3=audio/mpegmp4=video/mp4oga=audio/ogg; codecs="vorbis"ogv=video/ogg; codecs="theora, vorbis"pdf=application/pdfpng=image/pngtxt=text/plainwebm=video/webm; codecs="vp8.0, vorbis"webp=image/webp
While technically a file with a specific extension can have multiple mime types associated with it and vice-versa, Smallsite Design is keeping it simple by allowing only one mime type to map to one extension. In those rare cases where a mime type extension is already used, an alternate extension will need to be specified here for the new mime type, and any files expected to use it need to be renamed to use the new extension before uploading them.
However, adding a MIME type here only allows it to played on a page if a suitable handler for the file, like a codec for a media file, is already installed on the device or in the browser.
Settings△
These settings facilitate linking to other sites or web services.
Only change these if you really know what you are doing.
Incorrect settings may inadvertently expose confidential information, or prevent search engines listing site content.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required.
# | Name | Description |
---|---|---|
1 | Disallowed agents | Names of web-crawling robots (bots), separated by |, that are to ignore the site. Each has an entry in the site's robots.txt file |
2 | Additional schemes | Names of communication protocols, other than https, and separated by |, that external sites might need at the front of their URLs for some of the services they offer. Cannot add the insecure http scheme. For almost all likely external sites to be linked to, no schemes have to be added here |
# | Name | Current recommendation |
---|---|---|
1 | Disallowed agents | – |
2 | Additional schemes | – |
Disallowed agents lists those bots being requested to ignore the site. As a request, the bots may ignore it. Many search engines' bots and all malicious bots will ignore it. However, some bots for AI sites, like GPTBot, currently do respect the request, so that site content can be prevented from being plagiarised by the AI for use in response to their users' queries.
The insecure http scheme cannot be added to Additional schemes. For almost all likely external sites to be linked to, no schemes have to be added here as https is the fairly universal standard for websites. However, some sites' content may only be available using special protocols, so they would have to be added here to allow them to be used in links to such sites because URLs are validated against these schemes. Do not include the :// usually used after the protocol name in this list, but it must be included in full URLs.
Password checking△
These settings configure how user passwords are checked against those that have been leaked.
Only change these if you really know what you are doing.
Incorrect settings may affect whether passwords are checked properly or at all.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required.
# | Name | Description |
---|---|---|
1 | Status | Whether checking passwords at login is enabled |
2 | URL | Prefix to the URL to the checking provider's command internet address. The parameters to check a password are added to this. If blank, no password checking is done |
3 | Hash protocol | Name of the method used to generate the hash from the password |
4 | Characters | Number of the first characters of the hashed password added to the URL |
# | Name | Current recommendation |
---|---|---|
1 | Status | Enabled |
2 | URL | https://api.pwnedpasswords.com/range/ |
3 | Hash protocol | sha1 |
4 | Characters | 5 |
The current settings are for a service provided by Troy Hunt and his Have I Been Pwned web site, using Cloudflare to timely service the huge number of daily requests at the edge servers of their cloud infrastructure. His database contains half a billion leaked passwords.
The process uses what is known as k-anonymity to allow secure transmission of passwords. It involves hashing the password, and sending off the first few characters. A list of several hundred remainders of hashes that match that prefix is returned. If the tail end of the hash of the actual password is on the list, it is compromised.
Smallsite Design checks the password at login if more than a day has elapsed since the previous check. If the check fails, a highlighted notice will be displayed, prompting the user to change to another though that does not have to be immediately, but which will also be rejected if it fails when checked. The current master manager will be notified if a login check fails. New passwords are also checked, and if rejected, another new password will need to be provided.
If disabled, any of the fields are blank, or the target password checking site is not available, Smallsite Design will proceed as if the check had passed, so that access to the site is not prevented.