I was going to write a guide to security-related HTTP headers, but it turns out that someone has already done it. So here you go, it's worth a read. I have locked down the out-of-the box Tuskfish headers a bit tighter. The content security policy header can break a lot of stuff (read 'any inline script or style sheet') and requires manual tweaking, depending on what you're doing.

Tuskfish 2.0.7 is a minor update to fix small bugs and add htmx support. Back end toggling of content on/offline now uses a htmx call to avoid reloading the whole page. This makes management easier when you have a large amount of content. The htmx library is now available in /vendor, but it is only used in the back end administrative theme.

Tuskfish 2.0.6 introduces automatic content expiry and sitemap update functionality, via a daily cron job script, updates third party libraries (jQuery 3.7.0, FontAwesome 6.4.0 and TinyMCE 6.4.2). A few bugs were fixed including custom RSS feed error if ID was empty, and indexing of soft 404 and enclosure links has been allowed.

In a blog post annoying titled Heroku's Next Chapter, Heroku's General Manager has announced they will discontinue their free plans. On 28 November they will reduce free resources to zero and start deleting hobby-dev databases. Yep, they are going to bin your data with no warning other than an email, to "manage fraud and abuse". The good news is that you don't need them. Get your virtual machines from a cloud provider and containerise your apps with Docker instead. You'll never look back.

Trying to find truly free stock photos has always been painful. Usually, the available 'free' resources come with unwieldly terms such as the requirement to publicly attribute the source or acknowledge the author. Now I fully support the Creative Commons licenses for literary works, but you just can't plaster attributions across the artwork for a brochure, website banner or logo. It's not an appropriate model. Recently I stumbled upon unsplash.com, a stock photo site that is actually free, has a remarkably permissive license, and is also excellent.

A demonstration of Tuskfish's mapping capabilities. This track was recorded on my Garmin Forerunner 245 watch, as I drove back from Batemans Bay on the south coast to Canberra. The map is automatically generated from an exported .kml file of the track, which Google Maps can put bounds around. The tracks are downloadable so others can use them on their own devices if they wish. You can also prepare maps in Google Earth or Google Maps itself.

Tuskfish 2.0.3 brings compatibility with PHP 8.1, so if you want to wring the last few milliseconds of performance out of your site, use this version. New features include support for embedding Youtube videos, a sitemap generation facility, a 'minimum views' preference before displaying the views counter, and a live character counter for the meta description field. Third party libraries have also been updated, including adoption of Bootstrap 5.1.

Tuskfish 2 is a rewrite of Tuskfish CMS to adopt a strict model-view-viewmodel (+ controller) architecture. You can think of it as traditional MVC except the view is split into a view and a viewModel to abstract the model/view relationship, which improves flexibility and reuse of components. A front end controller and static router has been added to allow custom URL schemes. With the adoption of namespaces, Tuskfish 2 is now a very modern (if small) PHP application.

Just a short note to say Tuskfish 2 is in the works. It's going to be a partial re-write of the back end, but there will be minimal changes on the front end or from a user experience point of view. The database schema will also remain unchanged to allow seamless upgrade. Tuskfish 2 will be designed as a strict MVC architecture to improved separation of concerns, rather than the loose MVC it currently has. Components will be assembled through composition and inheritance will be fully dispensed with.

I'm very happy about Github's decision to grant unlimited free private repositories. It's not that I objected to Github charging people for the services they provide, but to qualify for free access you had to make all of your repositories open source and public. The problem with that was that the world is actually better off with some repositories remaining private. Do you really want access to the scratch pad repository I'm using to learn a new language? I think not.