Static what Generator?!

Recently I’ve become disillusioned with most CMS options. They’re a pain to keep updated, plugins are constantly being abandoned, and they’re so prevalent in sites that they make a very attractive target for exploitation. In fact the first time I lost control of my server it was because of a bug in a themes use of timthumb.php. Basically, the attacker sent it an “image” file from a hosting website that had a php eval script hidden in it’s data. When accessed normally it showed an image but if they accessed the cached file that timthumb made, then the server treated it as a php file. From there they were able to install a remote shell, and own my server.

Static site generators

While the timthumb exploit was a pain in the ass, it was very interesting to me and made me seriously consider how I secure my systems. To that end I started reading into static site generators. Static site generators take your posts, usually formatted in some sort of markup, put them through a templating engine that outputs .html files, which you can then serve via the usual methods.

Why tho?

The idea is that most sites don’t actually need to use dynamic code. Their content is, for the most, part static. Users aren’t interacting with the content (other than the comments sections and forms but we’ll talk about that later). They are, instead, just reading it. The only person who seems to be interacting with it is the person that owns the site. Even then, the owner isn’t actively interacting. They are writing a post, or updating a page. After that, everything stays the same.

All this is a “face-value” reason to move over to a static site. I have an even deeper reason for wanting to use a static site, portability. Static sites allow you to use a generic format for your posts. I write all my posts in markdown, a very common and widely used format. With this I can move from generator to generator without much change. If I were to make my blog in something like Wordpress, my post information would be locked into a very specific database format. If I, for some reason or another, decided I no longer wanted to use Wordpress it would be a lot of work modifying all my posts to be compatible with the new platform.


When it comes to static site generators, there are a plethora of options. The idea is to make sure you know what you’re signing up for. They come in many languages and each come with there own pros and cons. Choose something that’s written in a language you’re somewhat comfortable with and something that meets your criteria.

For me, I wanted:

  • Something with configurable routes ( could easily be
  • Does not need a server running all the time (This defeats the purpose to me and can introduce security issues)
  • Was reasonably markdown agnostic (I didn’t want too many special tags in my markdown in case I wanted/needed to switch generators)
  • Had a nice theming engine with some good themes already made (I can make one but wanted to get up and running quickly)
  • Is actively being Developed (It would be nice to keep things up to date)

Enter, Hexo

Hexo is a neat little package.

Originally I thought I would install it, set up an apache virtual reverse proxy via an .htaccess file and let node serve static files. Some people do this. It’s a valid way to serve a site. The problem that I have with this, is that it’s just another vulnerable layer of code that I don’t have the inclination to audit. It could potentially have glaring security holes and I wouldn’t know. Again, I want to clarify that I don’t know much of anything about security. I’m not a cryptographer, nor an expert on cyber security. However, I can easily read the html that comes out the other end of the site generator and verify that there are no well-known issues with the javascript or html.

If this is the way you wanted to do it, you would need, at the very least, this sort of .htaccess configuration in your root

RewriteEngine On
DirectoryIndex index.html
RewriteRule ^$ [P,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$$1 [P,L]

So what to do? Well, the output is a fully static html/css/js site. No need for node, no need for a reverse proxy. This will just work when popped into a public directory of a webserver.

getting that set up

A Word on interactivity

Static sites are very useful for serving your content. However, there are a few times where some interactivity is really useful. For instance, the comments section down below. Well in those cases, we can employ third party services with javascript to bridge that gap. Discus seems to be very vigilant when it comes to user identity and exploit elimination. They provide an API in which you can send them your “shortname” and the URL of your post and they’ll provide a comments section that you can embed there.