Umbraco developers - remember to disable the umbDebug settings when you go live
Friday, October 28, 2011 12:05:41 PM (GMT Daylight Time, UTC+01:00)
Recently I've noticed a growing number of Umbraco developers forgetting to disable the Umbraco debug settings before going live. We all fall foul of this from time to time but it is a security loophole that you can patch incredibly easily.
If you're not familiar with the helpful debugging querystring parameters of umbDebug and umbDebugShowTrace they basically show you the ASP.Net trace output and highlight the various macros used on the page -there's also a useful toggle debugging in Umbraco bookmarklet on cpalm.dk.
Why you should disable trace
If you try it out on your site which has debugging enabled you'll get all sorts of helpful information output to the page including where your website is installed -all very helpful and interesting to hackers. It also identifies your site as an Umbraco site very quickly -again something you would want to avoid if at all possible.
How to disable the debug settings via the web.config
Umbraco helpfully has a built in flag in the web.config appSettings section which allows you to effortlessly toggle the debuging features on/off. To turn it off, search for "umbracoDebugMode" in your web.config and if it's set to "true", change it to false.
<add key="umbracoDebugMode" value="true" />
<add key="umbracoDebugMode" value="false" />
For good measure you should also change ASP.Net's built in debug flag:
<compilation defaultLanguage="c#" debug="true" batch="false" targetFramework="4.0">
<compilation defaultLanguage="c#" debug="false" batch="false" targetFramework="4.0">
Disable it using UrlRewriting.config
If you prefer the belts and braces method, you can add a rule to your UrlRewriting.config to redirect the user everytime the url includes something that looks suspicious. To do this, just add the following rewrites to your UrlRewriting.config (or replace it completely if you don't have any rules):
Think about your users when writing your content
Thursday, October 20, 2011 2:20:06 PM (GMT Daylight Time, UTC+01:00)
Ignoring the aspects of design, SEO duplicate content, underlying code and tone of language, as a content editor you really should give consideration to your user and what they're looking for. I generally steer clear of critiquing -or even commenting on work that isn't our own (or when being asked by the creator) but sadly there still seems to be a real misunderstanding from clients on what makes a usable website.
We recently launched a website for local award winning pie makers - Elm Tree Foods and as a result we've spent a lot of time dealing with other local providers websites/council websites and I'm left stunned by the horrific experience they're offering their users. What riles me more about this though is the fact that most of their users are the sort that need to be helped through the process as they aren't often familiar with the internet (somewhat of an over generalising I realise).
A good example I came across today is Herefordshire's main tourism website: www.visitherefordshire.co.uk. It's well ranked for the search term of "Flavours of Herefordshire" (a good start) but it's then down hill from there. I was trying to find out where the Elm Tree Foods stall would be and when the festival was. We've seen signs locally saying it's at the Hereford Race Course (there's some debate over whether it really is) but we weren't sure that was the case for Elm Tree Foods.
You can try this yourself, see how long it takes you to find out where and when the Flavours of Herefordshire food festival is purely be using www.visitherefordshire.co.uk. Ideally you want all the information on one page.
Step 1: The Landing Page - Homepage
Message on the homepage - good start. Or is it? Take a closer look and you may find that although you've got the dates (and if you continue reading a time) there's still no indication of where the festival is:
Step 2: This week's events in Herefordshire
Clicking the only apparent link on the homepage (I didn't want details on the other events -rather the Flavours of Herefordshire event) takes you through to the listing page which has the Date, location, contact details but no time (which was on the homepage if you remember?).
So we're set? We have the location and the date/time, what more is there?
Step 3: The Flavours of Hereford event landing page (version 1)
Well, not knowing Hereford that well, I don't know where 1 King Street is so need to find that out. Logically I click through onto the event's page and I'm taken to:
Putting to one side the MASSIVE white space on the top right, again there is no mention of when this glorious event will take place. Presumably they were going to put all the clear location/date/time information in that large white space at the top of the column -but were overwhelmed with their workload forgot.
Another point with this page is that the content talks a lot in the past tense which is very confusing, was this page meant to be released after the event?
I still don't have a single page with all the information on so lets pop back to the homepage to see if that offers anything else.
Step 4: Back to the homepage
Back in the homepage for another look and it turns out the title, although not completely clear, is also a link.
Step 4: The Flavours of Hereford event landing page (version 2)
Clicking the title, I'm taken to this page:
Ok good, I've got loads of helpful information here: "Hereford Race Course for the weekend of Saturday, 22nd October and Sunday 23rd October, 2011 - 10.00am to 4.30pm each day" -exactly what I was after (even though it's hidden away in a paragraph of unnecessary fluff)!
But hang on, I thought it was at "Discover Herefordshire Centre, 1 King Street, Hereford, Herefordshire"? What's this about the Hereford Race Course? Also, the other page didn't mention anything about tickets or prices, does that mean I have to pay now? I'm now confused.
Imagine if you didn't know it wasn't at the race course (as I previously did), you'd now be going to the Hereford race course, paying £7.00 to get in and left disappointed at not getting to try Elm Tree Foods' award winning pies. Bad times. To be clear, I won't know until this weekend whether it is at the Race Course or not (or indeed what will be at 1 King Street) so if you're interested, follow me on Twitter to find out first.
"But it's complicated because we have so much content"
We've all heard it from larger organisations when getting them onto the web. It's not hard to confuse the user -and it's also not difficult to help guide the user either; regardless of how much content you have, you just need to give consideration to the user's journey and what the important messages are at each step.
Although it is still having work done to it, here for comparison is the Elm Tree Foods homepage and event details page. Even when resized, the important information is largely available:
But good design costs too much
I don't know how much www.visitherefordshire.co.uk cost to design and develop however, one thing I'm almost certain of is that the user could have been offered a much better user experience than they are currently receiving.
If after reading this you're concerned about your user's experience, contact The Site Doctor for a website check up.
Estimating the real value of source code
Thursday, October 13, 2011 12:16:11 PM (GMT Daylight Time, UTC+01:00)
If you run a software development company of virtually any size, you've no doubt been asked/bullied at some point for the source code; sometimes it's even stipulated as a requirement of the contract.
At The Site Doctor we don't tend to quibble over the source code (especially not for standard websites at least) and that's mainly because we know that the value of what we do isn't in the files of code themselves; instead the value is in our knowledge of you, your product, your requirements and our past experiences in our respective areas of expertise.
Putting to one side for a moment the knowledge gap (this can be filled over time/with enough resources), depending on your future plans, getting access to the source may not be the holy grail you think it is. If you are actively developing your project on an on-going basis (you should be), consideration will need to be given to how you ensure your copy is up to date. We have systems to handle this (called source control) but you have to question whether the additional time required to learn and manage the various processes are of real benefit to you.
There are a few instances however where having access to the source code is definitely worth it. Have you for example got a contingency plan in place for if your supplier was to no longer exist? What would you do and how would you cope if the development company was no longer around? In these instances, having a copy of the source -or more importantly knowing how you can get access to the up-to-date copy is very important.
How can I quantify the worth of the source code to me?
As with many scenarios like this, there's not really a "one solution fits all" answer however after a little internal discussion we came up with the following:
|Value of Source ||Considerations |
|High || |
- Was the system completely bespoke?
- Is it integral to your day-to-day operation?
- Is it your only source of income?
|Medium || |
- Although integral to your business, you have a copy of the software in a usable form and it doesn't change regularly.
- The system offers "standard" functionality which can be replicated with relative ease should it be required e.g. e-commerce functionality.
|Low || |
- The system is something generic, does not need to be changed
- You have control over the aspects that you need e.g. it's a website with a content management system
Is it worth getting the source code as a client?
Yes; but I would consider the message it's giving to your developers. If you ask for it at the beginning of the contract then there shouldn't be a problem but bringing it up after delivery might leave the developers wondering what your motive is (even if it is totally innocent).
Should I give the source code to my client?
Yes; unless you've clearly stipulated otherwise to the client from the start for some reason e.g. to reduce project costs. You should always write your code in a way that is readable to others anyway and knowing that you might at anytime be offering up the source code will encourage you to keep it that little bit leaner.
How do you handle source code with your clients?
To handle a scenario in which The Site Doctor no longer exists (whether it's because we've gone into administration or we're all hit by a meteor), we use Crisis Cover; an online information storage system that securely stores all the information our clients would need if we were no longer around. Crisis Cover then checks that we're still around and if not, distributes the information to the designated contacts.
If you've not already got some form of contingency plan in place I urge you to set something up now whether it's a service like Crisis Cover, Excel or paper!
In closing I would definitely promote the attitude we have at The Site Doctor in that it's better to build long-term partnerships but you should still have some disaster contingency plan in place.