It's been a long process of extricating myself from convenience versus taking full responsibility for what my website does and how it's coded.
Learning to enjoy the process of skill building and understanding, having a relationship with the magic of computer science and how to be a chef of experiences for the online user.
I'm calling this one rolling your own headless Content management system.
What's intrinsically permaculturalistic about that is the idea of the prime directive, take responsibility for your existence. This is part of our existence. It's a big part of it.
So to me, it's intrinsic to being a permaculture designer to not just be passively using tools, rather the more you understand that tooling, if you can take it apart and put it back together, more power to you, the better you will be in all your endeavors.
So to me, it's kind of like taking a website apart, putting it back together, realizing there's a lot of shady risk factors in a lot of websites.
If we're not skilled designers or were semi skilled designers, which I would say, I'm semi skilled.
We would just take things out of the box, pre configured and loaded with a lot of what's called bloat ware, often, if not outright spy wear, malware of different kinds.
Most of the time, we would never know what's happening under the hood, be completely unaware of when code that has been developed by even people with the best intentions gets exploited by people with the worst intentions, or when the code itself was written with malicious intentions, and it masquerades as though it was not.
So you're damned if you do. You're damned if you don't.
In a lot of these circumstances, the only way to know how the sauce is made is to make it yourself.
So that's the word that's used in developer communities.
Roll your own.
Often times, people say, well, there's certain things, you should not roll your own, but certain things it’s better to roll your own.
So the idea of a headless content management system. Let me just define that a little bit at the start. What a “head full” content management system would be thought of as that would be...
The majority of websites on the Internet, to this day, to my knowledge, the vast majority is still word press, blog type websites.
A shocking number of them are not fully updated to the most security patched version and also containing any number of third party non official plug ins or extensions that do all kinds of wizardry that make our lives easier and allow us to do what would otherwise be very expensive bespoke development projects.
We'd have to hire very expensive coders, designers, developers to create.
There are a lot of free plug ins out there in that ecosystem that can be installed very easily without a lot of administrative experience, or certainly not much security vetting.
Again, you're in this situation where, even with the best intentions, there's a lot of risk and vulnerability, and then more code, software with potential vulnerabilities that has to be patched and maintained and updated, falling behind in that, which we all do, and I certainly do.
I try to keep a routine of updates, but it's almost impossible to account for everything.
You do your best, you gotta try, at least. But the best way to update software is to not have the software installed and not have to update it from someone else's repository where you don't even know if they even control it anymore.
This is a site note, but it's on point at this moment, which is that, as you may have more trust in a code repository that you're drawing your plug ins from, you may trust that person.
You may know that person. You may find it to be the most secure and trustworthy repository of code that you deploy under your website, from that supply chain, the most trusted thing that you know of.
Then all of a sudden, someday the maintainer of that code repository could decide that it's not supporting itself enough.
So they're gonna flip it and sell it just to have an exit strategy from it.
Now whoever takes control of it, they could degrade it with all kinds of spammy ads, or they could load it with malware, and you would never know, and you would be doing the right thing by getting the regular updates.
But now you're getting a contaminated, poisoned update, either with benign, spammy degradation or more malevolent, malicious degradation.
So again, that all comes back to knowing. You wanna know what goes into the sauce.
You gotta be the chef yourself. Not everyone's gonna do that.
The idea is, all of the code and logic for that code, all of those dynamic features are operating in a way where the control panel interface for that content management system just lives in the cloud.
You authenticate into a web page, a web portal to to drive that website.
To make a more useful metaphor, because headless, that's, it's kind of macabre, and it doesn't really explain things very clearly.
So I think of another metaphor, actually, it's gonna work better.
If you have a very valuable car, let's say you have a sports car that you worked your whole life for.
It's your prize possession. You don't want it to get dented, scratched, stolen, broken into, etc.
So it would behoove you to park that vehicle in a garage where you have much more physical control over the security of it.
People don't see it from the street, so they don't know if there's value in there or not, or what the value might be.
You're obscuring its visibility, it's out of sight. So less of a shiny target is less visible.
That's one dimension. That by analogy, works well. Parking your expensive car, your valuable car, in a garage.
Another aspect is that you have a physical barrier around it so even things like falling debris or branches and whatnot even accidental damage to it can be prevented.
Then for someone who wanted to break into it, they're gonna have that much more difficult of a time to get through the security of the garage in order to breach the security of the vehicle. It's just not low hanging fruit. It's not just out there for taking. Now, most websites that were not built with security in mind as the primary paradigm, and security was a bolted on afterthought.
If you’re parking your fancy sports car in a very bad neighborhood, which is the Internet is one big, giant bad neighborhood. It's not a gated community. Sorry to say, there are some valiant attempts to make it more like a gated community, but there are pros and cons to that point being the average content management system that allows you to log in with just a user name and password.
That would be like parking that vehicle of yours, not even in front of your house in a nice neighborhood, but parking it in the worst neighborhood, and then walking home and leaving it there and hoping nothing bad happens to it.
But really what’s happening while your back has turned on it for a second, it's getting scratched, it's getting keyed, it's getting broken into, it's getting urinated and defecated in.
It's hub caps are being stolen. It's catalytic converter’s being cut out.
It's being joyridden, whatever. You can think of all those things, it's either happening to it or attempted.
People are jiggling the locks. Everybody who walks by is jiggling the locks.
That's what a website is contending with. Out there in the wild, on the Internet, it's being hammered by attacks of all kinds all the time.
I watch my server logs and it's just a nonstop rampart bombardment of non stop attacks mostly they're dumb attacks just spraying and praying to find a vulnerability and unpatched software.
I get hit with however many hundreds of thousands or millions of requests a day to load vulnerable versions of software that's not even on my server.
But they don't know, and they don't care. They're just scanning and automating robots that are jiggling the locks digitally speaking, in the ether.
That is the Internet. It's relatively trivial to, in the real world, to yank on every locked door knob and every locked car door handle or jiggle the windows of every house that's within reach.
You can't physically do that very efficiently in the real world, but in the digital world, you press a button and you can almost shake every lock on the entire Internet for an absurdly low price.
So to not have your car in a garage and to put it out where it's gonna be jerked on like that.
I mean, the garage isn’t foolproof, it's not perfect, but it is far more secure than just leaving it out there.
So a content management system where you have the key to get in the car, but so does anybody with the technological means or even the brute force and blunt means to break the window.
Either way they're able to get access, and if they have the right tools.
There's even high tech ways. There was a whole sort of scandal about how easy it is to spoof the key fobs and drive away with someone's car.
It became a trending meme a sort of challenge on social media, hey do the easy quick steal a car challenge and get more likes?
So you get the idea now for a headless website. The idea is, the administration panel is not a common, accessible web portal where anybody who is capable of impersonating you by stealing your credentials to log in with a password...
Obviously, with multifactor authentication and other forms of authentication that do not rely on shared secrets, which is more advanced topic I'll, I'll spare for now.
But the idea is. In terms of protecting the value at risk by siloing in a garage.
The idea is all the control panels, the private data, the database, all the secrets you're trying to protect, all of the intellectual property, content that you're serving to the world. It shouldn't be editable. Ideally, if security is the objective, the primary objective, what you published to the world should be un-F-withable, it should be solid.
It should be. It at some level Capable of being dynamic, but locked down in a way to where it doesn't just have a kick me sign on it, saying, anybody who's competent to impersonate me in an elegant manner or to just use brute force to break in without having to impersonate me.
If I make it easy to break in or easy to impersonate me and all of the controls to make everything editable and to be able to steal everything all at once.
That's all of the back office. That's another metaphor. The front office and the back office.
You don't put your file cabinets with all of your important documents from a business...you put those in secure, locking file cabinets in the back office, which has more security and less access, more surveillance perhaps, etc.
In the front office, you have whatever merchandise you're willing to put at risk.
And even then, you might wanna put it behind glass, in display cases, or even lock it up in various ways, but still visible.
That's the idea of the way most websites are operating now. Everything's in the front office.
That's an even better metaphor than the car in the garage.
It's the front office. And the back office.
Front office and back office is the legacy meat space, brick and mortar way of segregating the highest value, highest risk assets of your company your business, keeping those in a highly secured environment where they're way less likely to be tampered with, stolen or damaged.
That model, that paradigm, from the in real life world, did not, for some reason, hold up in the digital world. It became too tempting to commingle the back office and the front office and make it all be in one easily breachable environment.
So this shift towards a more secure paradigm of segregating front and back office.
The way to do that is to say, okay, I'm gonna publish my website, and every time I edit it and add content to it, I may be sacrificing a little bit of dynamic functionality, but not necessarily if, if done right, if that's an important objective, you need to have real time social engagement features and whatnot. Even then there's ways to kind of be smarter about protecting that process.
But if you can get away with it, if you can get by with more static and less dynamic features, if that can work for you, like it's working for me, then it makes sense to to use Web 1.0.
To put it bluntly, web 1.0 was far more secure and had far less attack surface that was vulnerable and exposed to the Internet. Because the administration panel didn't exist in a web portal.
The administration panel was you logging into your local computer with your administration password or your user password, you editing the files on a local machine, and then through a very narrow pathway, taking the finished product of those files and publishing them through what would be called FTP, or secure FTP.
The idea is the corridor between your siloed private computer workstation, even if it's connected the Internet, which doesn't have to be a lot of times, if you wanted to be very secure and air gapped, you could do all your Web development offline.
Which is pretty much what I do at this point. I do all the page development offline, and then I only sparingly connected the Internet just to publish it, and then I shut it off.
I don't even wanna be connected all the time on my local machine.
It's just more time exposure to risk.
That sounds paranoid, but it's really not. It's very intelligent, I promise.
So this paradigm shift for security is to move away from having everything, all the administration levers and dials and knobs, and certainly any of the private personal data of your users, their contact information, they're building information, their credit card information, potentially all those things.
It's highly regulated, but a lot of people are lax about it, and it's not highly enforced.
If you're not in the top tier of e commerce, people get away with murder when it comes to poor cyber security and customer data.
And breaches happen all the time, I pay attention. I read the data breach today news stories, and it's a non stop horror show, it's mortifying.
So spare you all that gory details. But for those who find this interesting, I'm gonna get into some of the ways that I have restored some of the functionality of content management systems in a more secure and local environment.
It takes a lot more time if you take full responsibility and you're writing every line of code yourself, which is what I'm doing, with some acknowledgment, of course, that I may be adapting snippets of code, but I write 99 % of my own code.
And whatever I don't write, that I have to implement and adapt. I am reading it. I'm testing it. I'm aware of whether or not it's making any expected or unexpected, what are called network calls, trying to grab resources from other places, different style sheets and scripts, and all of that madness that happens when you don't pay attention.
You just install a plug in and you don't know what it's doing.
I don't allow that anymore. I'm strict about a policy of if I'm using any code that I did not 100 % write myself, I'm going to thoroughly investigate and audit it. And usually that'll only be a few lines of code relative to even just the page.
It'll be a function that I don't yet know how to hand write, and I'll have to take a template of that function, but I'm going to dissect it line by line and make sure that there's no malicious potential within it that I can possibly be aware of.
That doesn't mean that there couldn't possibly be a sort of upstream vulnerability like if there's a vulnerability in browser software that makes otherwise secure code that I write no longer secure.
It could be part of a kill chain, is what they call it, of an attacker being able to exploit something that would have otherwise been secure, then it's not my problem, and it's on the end user to keep their browser updated and patched so that when vulnerabilities emerge, it wouldn't be my responsibility to change code.
It would be the responsibility of the browser administrators to say, oh, anybody who uses what used to be considered secure code, it's no longer secure, and we're not gonna allow it to execute in the browser environment.
So when the next update happens, your code may break and it may not work, and your users are gonna get error messages.
Therefore, it behooves you to be diligent, to be receptive and be responsible, and be able to do incident response in a very quick manner, because there could be a breaking change to an entire code language that runs.
HTML could have an update that deprecates some feature, and now something that you put into a million web pages doesn't work anymore, and you have to recode all of them to some extent, in order to be compliant with the new standards, it evolves quickly.
It should be a whole staff of people's full time job to maintain software that's public the way that websites are.
You can get away with old versions of things when you're running an old computer where you wanna play your old favorite video games on or something, and it never touches the Internet.
That's a different story. Publishing live website data where previously thought to be secure, coding practices get proven to be insecure, then it's a moving target.
So that's just a little PSA, we wanna talk about accepting responsibility, to sacrifice some of the convenience of relying on a lot of third party code that's not vetted well or impossible to vet.
Writing my own code, 99 % of it, line by line, writing myself and auditing thoroughly. Just making a best effort.
But what I've done to approximate the convenience of a content management system has been very creative, very idiosyncratic, a creative tool chain.
I haven't heard of this being done a lot before. I didn't go to school for this.
I've done a lot of tutorials and course work, but I did not get a degree in this. I've gone through entire MIT courses of computer science and math and algorithms. But I was not trained on a dogmatic sort of methodology. I'm like a musician who doesn't learn music theory by the book but plays by ear and gleans what they can along the way.
There are pros and cons to that. But for me, where I'm at with it is that, it's almost like you take someone with a fresh perspective to look at a problem that you've been staring at for your whole career or whatever, and someone from the outside comes in and solves it in a minute.
Just because they had a totally fresh perspective, and they didn't have the self imposed constraints that you would have if you were classically trained in something.
People can think out of the box if they were never put in the box in the first place.
So for me, what that has looked like is that I use a combination of what's called an IDE or interactive development environment. The way that, if you're creating digital music, you call it digital audio workstation.
The IDE is the development coding programming version of that, where there's all these guard rails, there is security.
The way that those environments work. It's like a word processor, the way that does the auto correcting and the suggesting of words and underlining words that are misspelled or potentially misspelled.
That's what the IDE is for computer code of all kinds of different languages.
Pretty much any language out there is integrated in a sort of multi language IDE, or has its own go to IDE. But the IDE should help you with proper indentation. It should help you with when you start a line of code, it can interpret and guess what you're trying to do in terms of what the syntax is, how you need to close that tag.
AI is starting to make some IDE features obsolete, however I would rather learn how to take full responsibility, the whole point of this is do not out source, even if it's open source.
If that means you're gonna have a simpler design then so be it probably that's better, it'll probably be more secure at the end of the day.
It doesn't have to be a million bells and whistles on every web page that makes it slower and impossible to navigate and confusing.
So this bespoke tool chain that I've built is with the standard sort of IDE that helps keep me in manner compliant with the specifications of the code, you learn things you wouldn't have learned even on your own.
You're like, oh, I didn't know I could do that but the IDE suggested it, and I tried it, and it worked, and it was great, and it was compliant. The browsers played well with it, etc.
But there are still circumstances where constructing code, line by line, doing hundreds, if not thousands, of lines of code a day, which is where I'm at now, if I'm in the zone with something.
It sounds more impressive than it often is, usually what you're doing is, if you have a thousand elements, a thousand lines of code could be 99 % the same line of code with only one thing that's different.
Which is the title or the name or the image file or whatever.
But the rest of the code surrounding that tiny bit of permutation is all just sort of telling it what to do.
So you could have a thousand lines of code that are all pretty much doing almost the same thing, but they're just operating on a different, smaller unit.
So really that's a lot of copy and paste. But this is where it gets interesting and where I've adapted a tool chain that's to me interesting and bespoke which is the integration of the open source version of an office Productivity suite it's called libre office and there's a spreadsheet called calc that gives you all the functionality of a normal spreadsheet you’d be used to.
But what is amazing about it for this CMS experience I've created for myself offline, is that when I have to be the code chef, and I have to take hundreds of lines of code at a time, and I decide I need to make a change to it.
Often all you gotta do is do a find and replace.
And it will like say, you wanna change the size of text or something, and you wanna do it across all of the elements on a page, or even an entire website, across multiple pages.
If it's a simple way to find and replace that across the spectrum, it's easy enough to use that function, but oftentimes in development, what I find not necessarily more often, but it's unavoidable and you can't get around it, is that sometimes you have to break up repetitive lines of code, and you're modifying them and doing surgery on them, and you need to recycle that and create templates for it.
Let's say you have a hundred image files, and they're named image one, image two, image three, on down to image a hundred, right? And you have to make changes to how that image displays. So the code surrounding the line that says, pull this image file from this folder on the server, the sort of the story around that request for that file is gonna determine the border of it, the size of it, what the alt tag is if images are blocked or for accessibility, you want it to be able to be displayed in the form of text.
That's the best practice that should not be overlooked. And so all of that story of pulling that image, that's it's surrounded by, with its tags, it's not as easy as just doing a find and replace on that you may need to generate a hundred of those wrappers where they need to be broken up to where, you don't wanna have to type in from one to a hundred, all those different lines of code.
What's great about a spreadsheet is that you can take that line, that's image one, drag that line down as far as you want, and it will automatically increment the numbers.
It'll build you image one, image two, image three. All you gotta do is drag it all the way down.
So whenever I've got to do those hundreds or thousands of lines of code, I'll take a line of code where most of it gets repeated, and I'll break it up into chunks, each in their own column on the spreadsheet.
Say, to make it easy. You have the opening bracket of an image tag, you have the image path in the middle, and then you have the closing tag.
So if you had just three columns of a spreadsheet.
On the first column, you have put in that opening bracket. The second column, you put in the path to the file name, where it ends in the number, and then the third is where you have the rest of that file name, which is the extension, and then the closing bracket.
What that leaves you with is the ability, when you break up a line of code in that way, to do a drag down on a file that has an image number, and it will build you all those numbers without you having to manually type them in.
And then all you gotta do is double click on the the column before and the column after it, and it will duplicate itself as is, with no changes, because there's no numbers in it that would get incremented.
You do the same with the other side, two clicks, and now you've got hundred or thousand, etc. However many lines of code necessary. And the process of incrementing those values, it's done in its own little column.
Then the fourth column becomes a formula that concatenates or merges together in sequence those previous three columns.
And then you get the emergent property of the full line of code reassembled, where you didn't have to type in all those numbers, you were able to scroll to get all those numbers.
And now you stitch them together, and you've got your hundred or thousand lines of code, and you copy and paste and you're done.
I've got that down and figured out to where I can do a lot of advanced variables and build a workflow where what you would experience posting to word press, all of those steps, where you put in the date, you put in the tags, you put in the title, put in a description, you put in a short and a long description, you put in the body... all of those tasks that are made simple and convenient through those interfaces, I've basically made all of that functionality work on these master template spreadsheets.
The first column can be the data that you enter that gets re repurposed all throughout a web page, the title, and with description and whatever else is gonna go on that page.
Then that auto populates all throughout the spreadsheet in different columns.
I only have to put it in once. I don't have to put it in a bunch of times over and over manually. I put in only what I need to add to a template.
All of those lines of code with all those tags that have all kinds of things going on in the middle of them, they're all baked in, but in a way, they're broken up across the different columns.
So they get stitched together after putting those variables, and they produce those results from one column to the next. Several columns in a row that are slicing and dicing my variable inputs slicing and dicing them. I hide those columns and then only the finished product, the baked good or this sort of chef's dish that's done served, leave that column visible.
I can go along and click on the top of those finished product columns copy and paste them, and I've got the entire HTML page from top to bottom rebuilt instantaneously by putting in variables at the left side of the spreadsheet, having the magic line chef work being done in the hidden columns.
Then what's exposed on down the line from left to right is the tasks I had to do to copy code into a local document and then to copy code into a shell terminal to load that in a secure manner across the internet with multifactor security to the server and test it, open the browser make sure it's working right.
Make sure that the site map is updated and the formatting is correct.
Sometimes there are just weird glitches where it doesn't update perfectly, and therefore it's always wise and it's part of my process to publish the code and then refresh the page, make sure and double check visually that everything worked as intended.
You have to be in the zone. Today, I got distracted. It wasn't a security matter. But it wasn't a security concern. But in that process of rapid fire conveyor belt, local spreadsheet enabled development, that tool chain, I got a phone call, I didn't know where I had left off.
It's possible I could have made some kind of mark. In fact, now if I ever get distracted, I'm gonna color that column or something immediately. So I know where I left off. It wasn't end of the world, but I did end up with something going wonky.
Something ended up at the top of the page that should have been in the middle and it was easy to correct.
But it does show that it's all consuming.
It gets you into the zone. Once you get in the zone, you don't wanna get shaken out of it because you get in that groove and you're flowing.
But I'm very happy to say that it is a game changer for me personally, because that means what used to be such a tedious chore of all these individual tasks and just makes you not wanna do it.
I've even added some pretty sophisticated nuance to it thanks to the generosity of the developers who've created this open source spreadsheet software. I’m able to use all of the tools that I'm relying on with the server software and everything in between.
But the tools that I'm using to write that code, most of them, are written by people far more sophisticated than I am, and I'm only using a fraction of the features that are available to me.
But at least I know what's going in the sauce. And now I'm able to just bridge the gap between what the trade off was when I said, I'm not gonna do these very vulnerable web based admin portal content management systems just because they're easy and convenient, they save time. Which is the opposite if you're responsible for a data breach and your customer's data now becomes a class action lawsuit where you go bankrupt.
So if taking a little extra time and front loading it with more security is what takes that threat off the table, then by all means, I'm gonna do that, and I have done that, it's just more manageable.
I'm in the second half of my life, and I just want things to be more elegant and manageable.
If I say I want it to be easier, and really what that means, what that translates for me now is I just wanted to be simpler more elegant more efficient and less moving parts as few moving parts to get the job done as needed. I don't want any access of sprawling security risk.
So I'm moving in this direction, and I've made it a fair ways.
If you would have told me years ago that I would be able to basically replicate all of the functionality that I would get from a normal, modern content management system, not some of the most advanced features, but the basic web publishing.
That's what we're talking about here, publishing text and images and video and audio to the Internet on a web page that you are responsible for.
If you're posting to social media, their security staff and their army of lawyers are responsible for securing your account and everyone else's account, that's a totally different relationship.
There are all kinds of tradeoff there. But when it comes to taking responsibility for your own website real estate, the security of it, the privacy of it, the tool chain you used to authenticate into it and to modify it and post to it.
I'm just taking this moment to feel accomplished, because I wouldn't have believed it would be possible.
I wouldn't have understood the utility or the value of it many years ago.
I certainly understand it now, but I definitely would not have expected that I would be able to study enough and develop the skills enough to where I could actually replicate the convenience of web publishing with a combination of an IDE.
And whenever I need to automate tasks, I don't have to write a ton of Python code to open files and close them and search for this and modify that.
The thing that pushed me to realize, aha, I can automate a lot of this in a far more elegant manner by augmenting the power of the IDE by automating certain tasks and workflows with a spreadsheet.
The thing that pushed me was trying to build automation tools with Python and bash scripting and other languages, and getting to a point where there was more escape characters than there was code.
After a while, when you're trying to generate code from code, where they share a syntax of backslashes and quotes and single quotes and double quotes and question marks, all these characters that are interpreted by the code compiler or interpreter, you have to use what are called escape characters.
So that if you want to write code, then you have to tell the code what code to do its code thing on and what code to not do its code thing on.
It's one of the most mind twisting tasks to have to have to figure out.
If you want to automate it and do it over the course of all kinds of different lines of code. That is a lot of escape characters, you go blind looking at it. It's insane even with as unintelligible as any code language already is.
When you start having to make it look like it's going upside down and backwards, it's crazy making.
Anybody who is very good at that and really enjoys that. My hat is off to them. For me, I realized, oh, I can avoid that nightmare by integrating a spreadsheet in my tool chain.
So now I have this spreadsheet that's got all of these sort of scrap yard template processes from all the different apps I'm building and pages I'm building, where, if I'm gonna upload a hundred new images to the website. Then I know where to go to to take that template of that sort of conveyor belt of template code, and then I can just drop in those variables and it spits out what I need, and I copy and paste that into the main document, upload it and that's that. So the sky is the limit.
I can't emphasize enough how grateful I am and how interesting it is the way that intuitive logic that we take for granted about navigating the world, tying our shoes, operating a machine, whatever it is, we take for granted so much nuance of procedure, just from our life experience.
Everything is sort of muscle memory for us, for the most part in daily life, but for computer programming. The sentiment is that for every one task you want a computer to perform, you have to tell it nine tasks not to perform in order for it to perform the one task without the chance of it misinterpreting it or being vulnerable to be manipulated to do other tasks that it wasn't told not to do.
It's a lot more about negative programming than telling it to produce result you want some times.
That's where you get into all the different abstraction layers of higher and lower code languages.
At the end of the day, it all boils down to ones and zeros and everything above that, you're operating at a higher level of code. Most people are not coding with ones and zeros.
I'm having the time my life. And again, I salute and have infinite appreciation for all of the people smarter than me that make it possible for me to do the humble things that I do.
Every day is new and exciting and engaging, because you continue to learn more ways to optimize the work moving forward.
You always have the opportunity to go back in time to things you did earlier and give them an overhaul and bring them up to your current skill level.
That's an interesting, reiterative kind of recursive process as well.