10. Settings
Settings allows specifying the operational values for a site.
Access△
This section contains flags for enabling extra access or other functionality.
| # | Name | Description |
|---|---|---|
| 1 | Accessibility | If turned on, the public site will change pages to include several accessibility enhancements for those with visual or neurological sensitivities to some typographical settings that most people prefer. A logged-in user can set their own accessibility preference on the Users page |
| 2 | 2-factor login | If turned on, after submitting a password, an email will be sent to the user's email with a link which when clicked will allow entry to the management pages, after which the resulting Close me browser page can be closed if it didn't close immediately. This ensures that someone logging in is likely to be the legitimate user. However, this process relies upon the user having the only access to their emails |
| 3 | Guest mode | If turned on, Guest users can be created to allow view-only access to almost all management pages for training or learning. Never turn on for a production site. If turned off, all current Guest users will be deleted |
| 4 | Strict Done | If turned on, hides the All done button in the Phase selection section of the History page to mitigate against releasing straight after some edits without thinking about what other edits for other locales might also be needed. Irrelevant if only one locale |
These are all turned off by default. Only turn on Accessibility if the majority of expected site visitors have the sensitivities that the changes cater for, otherwise those without them may find the changes downgrade their experience. The preferences for neurodiverse groups are often mutually exclusive.
Values△
This section covers site-wide values used by Smallsite Design.
| # | Name | Description |
|---|---|---|
| 1 | Site ID | Short identifier used as the prefix for archive file names. This uses basic ASCII alphabetic characters so that it should display properly in all operating systems. When a site is created, this is set to sd for Smallsite Design |
| 2 | Site name | Site name that is appended to the hidden title tag of a page in a browser. The full text of that tag will usually be displayed in the browser tab for the page, and will be used by search engines for determining page ranking |
| 3 | Copyright owner | Name of the copyright holder for the site. It should be the legally registered name for a business, or an individual's full name. It appears in page footers |
| 4 | Registration name | Name of the type of registration for the next field. It is provided to show information like business registration numbers that may be legally required to be displayed. If this field is blank, no registration details will appear in page footers |
| 5 | Registration ID | Identifier or number for the type of registration in the previous field. If this field is blank, no registration details will appear in page footers |
| 6 | Guest password | If a Guest user with ID of gu is created, the password automatically generated will be shown here, and can displayed on a page using the Value element. Only shown in Guest mode |
| # | Name | Example |
|---|---|---|
| 1 | Site ID | sd as an identifier for Smallsite Design. Default for a new site, but needs changing as part of step 3 of Set up Smallsite Design |
| 2 | Site name | Smallsite Design |
| 3 | Copyright owner | Patanjali Sokaris or Company Pty Ltd |
| 4 | Registration name | ABN for Australian Business Number |
| 5 | Registration ID | 14 326 274 274 |
Search△
These settings are to specify an external search provider rather than using the internal facility.
Only change these if you really know what you are doing.
Incorrect settings may hobble the search facility altogether.
| # | Name | Description |
|---|---|---|
| 1 | Status | Whether the specified external search provider is used |
| 2 | URL | Provider's URL address |
| 3 | Query attribute | Name of the attribute to hold the typed in query to send to the provider |
| 4 | Site attribute | Name of the attribute to hold the site's domain name to send to the provider |
| # | Name | Current recommendation |
|---|---|---|
| 1 | Status | Enabled |
| 2 | URL | https://duckduckgo.com/ |
| 3 | Query attribute | q |
| 4 | Site attribute | sites |
The values are initially blank and the facility is disabled. If disabled, or any of the values are removed, use of an external provider is disabled and the internal search facility is used.
Do not use Google because unless a site is very popular, they will ignore 95% of the pages. Bing will list 100% of a site's pages, but they do not have a Site attribute to be able to restrict the search to the site. DuckDuckGo does, and it uses Bing results, so coverage matches Bings, though new pages may take several extra days to appear. Their advantage is that they do not leak site visitors' details to Bing.
Not all search providers have all the attributes suitable for this facility. Also, attributes have to be able to be submitted within the form, and not as part of the URL where the queries used may be leaked in browser histories.
MIME types△
MIME types define how the web server processes files so that they display properly in a browser page.
Only change these if you really know what you are doing.
Incorrect settings may affect how some files are displayed and processed.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required, such as for new multimedia file formats. No entries are required for file types that will only be downloaded and not viewed in a browser or played.
The currently recommended extension=MIME type combinations that you can cut-and-paste from here are:
csv=text/csvepub=application/epub+zipflac=audio/flacgif=image/gifico=image/x-iconjpg=image/jpegm4a=audio/mp4mp3=audio/mpegmp4=video/mp4oga=audio/ogg; codecs="vorbis"ogv=video/ogg; codecs="theora, vorbis"pdf=application/pdfpng=image/pngtxt=text/plainwebm=video/webm; codecs="vp8.0, vorbis"webp=image/webp
While technically a file with a specific extension can have multiple mime types associated with it and vice-versa, Smallsite Design is keeping it simple by allowing only one mime type to map to one extension. In those rare cases where a mime type extension is already used, an alternate extension will need to be specified here for the new mime type, and any files expected to use it need to be renamed to use the new extension before uploading them.
However, adding a MIME type here only allows it to played on a page if a suitable handler for the file, like a codec for a media file, is already installed on the device or in the browser.
Settings△
These settings facilitate linking to other sites or web services.
Only change these if you really know what you are doing.
Incorrect settings may inadvertently expose confidential information, or prevent search engines listing site content.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required.
| # | Name | Description |
|---|---|---|
| 1 | Disallowed agents | Names of web-crawling robots (bots), separated by |, that are to ignore the site. Each will have an entry in the site's robots.txt file |
| 2 | Additional schemes | Names of communication protocols, other than https, and separated by |, that external sites might need at the front of their URLs for some of the services they offer. Cannot add the insecure http scheme |
| # | Name | Current recommendation |
|---|---|---|
| 1 | Disallowed agents | GPTBot |
| 2 | Additional schemes | – |
Disallowed agents lists those bots being requested to ignore the site. As a request, the bots may ignore it. Many search engines' bots and all malicious bots will ignore it. However, some bots for AI sites, like GPTBot, currently do respect the request, so that site content can be prevented from being plagiarised by the AI for use in response to their users' queries. However, if you have a substantial body of work and the AI does not rip off substantial content and lists references, like CoPilot does, then having occasional snippets of referenced content may widen your audience.
The insecure http scheme cannot be added to Additional schemes. For almost all likely external sites to be linked to, no schemes have to be added here as https is the fairly universal standard for websites. However, some sites' content may only be available using special protocols, so they would have to be added here to allow them to be used in links to such sites because URLs are validated against these schemes. Do not include the :// usually used after the protocol name in this list, but it must be included in full URLs.
Password checking△
These settings configure how user passwords are checked against those that have been leaked.
Only change these if you really know what you are doing.
Incorrect settings may affect whether passwords are checked properly or at all.
Working values have already been supplied. These settings have only been provided to cater for future changes that may be required.
| # | Name | Description |
|---|---|---|
| 1 | Status | Whether checking passwords at login is enabled |
| 2 | URL | Prefix to the URL to the checking provider's command internet address. The hash prefix to check a password is added to this |
| 3 | Hash algorithm | Name of the method used to generate the hash from the password |
| 4 | Characters | Number of the first characters of the hashed password added to the URL |
| # | Name | Current recommendation |
|---|---|---|
| 1 | Status | Enabled |
| 2 | URL | https://api.pwnedpasswords.com/range/ |
| 3 | Hash algorithm | sha1 |
| 4 | Characters | 5 |
The current settings are for a service provided by Troy Hunt and his Have I Been Pwned web site, using Cloudflare to timely service the huge number of daily requests at the edge servers of their cloud infrastructure. The database contains half a billion leaked passwords.
The process uses what is known as k-anonymity to allow secure password testing. It involves hashing the password, and sending off the first few characters. A list of several hundred remainders of hashes that match that prefix is returned. If the tail end of the hash of the actual password is on the list, it is compromised. The hashing makes it virtually impossible to determine the password, and so little of the hash is actually transmitted that it is made far less possible.
The password is checked at login if more than a day has elapsed since the previous check. If the check fails, a highlighted notice will be displayed, prompting the user to change to another though that does not have to be immediately. The master manager will be notified if a login check fails. New passwords are also checked, and if rejected, another will need to be provided.
If disabled, any of the fields are blank, or the target password checking site is not available, login will proceed as if the check had passed, so that access to the site is not prevented. If any of the values are removed, the facility will be disabled.