
Reducing the attack surface with static sites - mooreds
https://www.contentful.com/blog/2018/03/16/reducing-the-attack-surface-with-static-sites/
======
jgaa
The complexity of modern sites is insane. It's also insane to relay on other
peoples services ('cloud' and 'server-less') for simple websites, like
publishing articles or blog-posts. Those services could be gone tomorrow!

A lot of users may also chose to disable JavaScript in the future, as more and
more malicious actors use JavaScript to exploit people (the latest trend is to
hack sites and js- libraries to make other people mine crypto-currency).

I believe the answer to many of todays challenges is to move on to static
sites, and to make most sites work without JavaScript. You only need
JavaScript if you make a site that is basically an application. A blog or a
newspaper is not an application.

For a blogger, another feature with static sites is that they don't require a
specific back-end (like wordpres or drupal). As a static site, their thoughts
and ideas can live on for millenniums, long after the last wordpress or drupal
instances has shut down.

Disclosure: I'm not un-biased here. I'm actually so biased that I wrote my own
static site generator last year to make it simple to publish blogs that works
great on both mobile devices and PC's.

~~~
ubernostrum
_Those services could be gone tomorrow!_

This is true of any hosting service. Unless it's your machine in your rack in
your building attached to your pipe, there's a company that could suddenly
shut down tomorrow and leave you in the lurch.

 _I believe the answer to many of todays challenges is to move on to static
sites, and to make most sites work without JavaScript_

The second part I agree with. The first part... meh. I've built a _lot_ of
database-backed websites, and have been doing so since the days when people
used the term "DHTML" to refer to using JavaScript in a web page. The patterns
for doing it are well-understood, the tools for doing it are solid, and for
anything bigger than a brochureware site I'll basically always turn to a
database (and even for the brochureware, I'll usually do it, since I don't
want to train non-technical people on how to edit files and run a static
generator).

~~~
jgaa
>> Those services could be gone tomorrow!

> This is true of any hosting service.

It's a lot easier to just 'scp ~/blog/. new-server:/var/www' than to set up a
database server, go trough configuration and hardening of apache and php (or
whatever) and make everything play together, again. Some of my sites have been
down for 6 months now, because I never found the time to do that.

> since I don't want to train non-technical people on how to edit files and
> run a static generator

Some friends of mine and I are planning a hosted service for this, where users
can push sites trough git, scp, ftp or interactively maintain the site trough
a panel (using JavaScript) - and download the entire site at any time as a
zipfile (or git clone). The sites will be static, but there will be (optional)
comments, using a 3rd party service.

~~~
ubernostrum
_It 's a lot easier to just 'scp ~/blog/. new-server:/var/www' than to set up
a database server, go trough configuration and hardening of apache and php (or
whatever) and make everything play together, again._

Well, you need to do some configuration and hardening no matter what. And
while I don't use PHP anymore, I've found that for what I do the deployment
story these days is easy enough.

 _Some friends of mine and I are planning a hosted service for this, where
users can push sites trough git, scp, ftp or interactively maintain the site
trough a panel (using JavaScript) - and download the entire site at any time
as a zipfile (or git clone). The sites will be static, but there will be
(optional) comments, using a 3rd party service._

So after suggesting people don't trust third-party services, you're going to
start and advertise your own, and integrate someone else's service into it? :)

------
RobGav
Why pay for static generator or hosting when you can use eg. GitHub Pages and
Publii CMS ([https://getpublii.com](https://getpublii.com))?

~~~
tutanchamun
Yeah, or netlify cms [0] if you want a version which is usable from the net.

[0] [https://www.netlifycms.org/](https://www.netlifycms.org/)

------
dillondoyle
We host high target content (politician sites + dns + email) and I've been
moving to static html on siloed s3+cloudfront when clients dont need to use
cms themselves. It's also much less bloated with a goal of really fast load
times on mobile.

The problem is of course most of our staff - and definitely all of our clients
that want to be able to edit themselves - still rely on WordPress and worse a
bunch of plugins that are impossible to lock down.

I've wondered if others have setup WordPress in a separate environment to let
clients do what they want and then host the static html elsewhere. Like maybe
wp-supercache could give a zip download of the static content.

~~~
ryanSrich
Why not just use contentful (linked article is written by contentful) + static
gen? My company has used contentful + middleman for almost 2 years now. It
took a while to hone in (payloads used to be extremely large), but once it's
dialed, the experience is better than WP for both writers and designers.

~~~
dillondoyle
I haven't looked into it more than the five minutes surfing around after
reading this article, so maybe I should look into it more.

It was hard to find info on their visual cms like editor in the few minutes I
poked around Contentful's site. Maybe their CMS like editor is really
simple/similar to wordpress I will read some more.

Another quick thought is wordpress has a huge amount of plugins that these
non-technical clients are used to, so probably some retooling would be needed
to reproduce what they want.

I have no problem creating and updating static sites myself so the only need
really is to provide clients a way to add content and mess around with site
through a visual cms (e.g. use a visual editor plugin to add new slideshow
type content and change layouts).

------
ukulele
In sum: static sites will keep the scary hackers away. Here's how you build a
self-hosted static site with Contentful, starting at just $250/month for the
privilege of using our editor. What a great deal!

~~~
bdcravens
The article wasn't that pitch-heavy, and most of it was applicable to general
static sites. They have $0 and $39/month plans as well.

~~~
kaaloo
I can't find the $39 plan although I remember that from a while back. Maybe
it's been discontinued?

~~~
headsclouds
Check the "logo attribution" option and the $0 plan becomes the $39 plan.

------
orblivion
I was just thinking the other day, while upgrading Django LTS and dependencies
for the second time now, with its endless list of reverse incompatible changes
(on each intermediate version) that I need to consider, on I site I currently
maintain to be responsible but don't have a lot of time to invest on: oh, this
is why people use static site generators.

Come to think of it, it would be nice if I could specify a dynamic site in
some way that is reverse compatible forever the same way flat files are. Ah,
but the march toward progress.

------
duckqlz
#BringBackGeoCities

~~~
glaberficken
they have =) [https://neocities.org/](https://neocities.org/)

------
pcardoso
Funny to read this today. Over the past few days I've been building a personal
project related to this.

Just a way to easily update some small tidbits in a static site without a CMS.

Something between a static site and a full-blown CMS. A way add some editing
capabilities to static sites.

[http://inflater.io](http://inflater.io)

~~~
detritus
Hello - I tried sending you an email to be added to your list but was hit with
a "550 relay not permitted!" notice.

~~~
pcardoso
Yikes! Sorry about that, fixed it now. Thanks!

------
gsingal
Static websites definitely has the advantage of being simple, and stay away
from security issues. They are fast in loading too.

But, there are several disadvantages. Its a pain when you want to grow your
website, want content from users. Profile management, login etc.

~~~
onion2k
You just need to decouple your thinking about the "website" and the "admin of
the website". Ultimately, reading the content is a completely separate
activity to writing the content. You can have a completely static site, with
all the advantages that brings, with exactly the same backend management
system you would if it was a dynamic website.

Some static site generators will even do most of the work for you. For
example, GatsbyJS has a data connector for Wordpress - [https://using-
wordpress.gatsbyjs.org/](https://using-wordpress.gatsbyjs.org/)

------
lonk
You can easily reduce the attack surface by shutting down computer.

