Basics of Web Design

The basic concepts

by Ed Sawicki

This page offers my opinion about the best way of building web sites that are secure, and perform well.

Dual-purpose web servers

Most people today are using systems that allow you to update content on your web pages by using the same web server that serves that content. This is a huge security problem. The bad guys can find ways to break-in.

One of the most popular of these content management systems is WordPress. Many experts claim that WordPress is secure, but may become less secure with badly-coded or outdated plug-ins, and errors on the part of administrators who have no experience with security best practices.

The far better way is for your web server to only serve content; not to also allow you to edit that content. Move your content management to a computer that's not a web server on the Internet.

Design locally and off-line

You could edit your web pages on your own computer instead of on the web server. The bad guys can't access any of the content on your computer, so it's secure.

Of course, you can be stupid and use that same computer for connecting to web sites (such as porn sites) where the bad guys have engineered traps to infect your computer. So the rule is, only use the computer you use for web development for web development and nothing that would put that computer at risk. That means limiting its connections to the outside world to trusted sites.

Computers are cheap

Using a separate computer for web development is an obvious way to secure your data, but it's not a suggestion that's taken seriously by most people. When I advise people to protect their important data by using a separate computer for storing it, they find that concept foreign. Most people want to use their one computer for everything they do.

If they have a second computer, it's a mobile device such as a tablet that's also used for everything they do. They play games that they've downloaded from the Internet on the same computer used for their online banking. It means that the bad guys only have to infect that computer once to gain access to private data on that computer.

Maximize the static

The web server is most secure when it's serving static content. That is, it has files that contain only HTML, CSS, and Javascript, along with images, videos, audio, etc. The web server simply copies files to the remote web browser. Given that modern web servers and web browsers use the HTTPS secure protocol with SSL/TLS certificates, it's very difficult for the bad guys to gain access (but not impossible).

It becomes less secure when you serve content from a database. This is because a language like PHP handles the database. Security holes in servers running PHP and a database are not rare.

Use Open Source and Free tools

My preferences for creating web page content has changed over the years. Today, my web page content comes from XML files that get translated to HTML using a XSL translator. I use a plain text, command line editor to manage my XML files. I could use an editor with a graphical user interface, but I seldom do.

I use the open source XMLStarlet program to both check the XML files for errors and to translate the XML data to HTML.

The computer I use to develop web page content is a Linux system (Debian). It's trivial to download and install XMLStarlet and other programs.

Backups

I use a Raspberry Pi (RPi) computer running Linux to automatically backup my websites using the open source rsync program. The RPi has two 512 GB USB flash drives. One of those flash drives backs up the data from the web server. The other backs up the data on my local web development computer. How often this happens is under your control in your crontab configuration.

The RPi has cron jobs that automatically call rsync to do incremental backups. rsync is running on top of Secure Shell (ssh), so the connection is secure.