Thoughts on website design

I'd just like to provide some food for thought on websites and website design. This is my philosophy, and is not to be taken as gospel. I am not a website designer nor do I have any ambition to be one, but I do know a thing or two and have my perspective independent of any presented by the W3C (World Wide Web Consortium) or any others. My particular perspective comes from watching the web progress, little by little, from its humble beginnings (including a time before web browsers, when gopher was king) to what it has become today.

While my thoughts may not appeal to all, they have merit to me, so I judge things based on my experience. As a UNIX systems and network administrator, I pride myself on the security of sites I maintain. I've been around the block long enough to know that no site connected to the world is safe. I also know that there are millions of insecure sites (discounting Windoze systems, they are inherently insecure) begging to be abused by script kiddies. But that doesn't mean relatively secure sites are safe either.

I have had systems I administer broken into. These breakins I've been able to trace back in every case. And in every case, the breakins have been a result of poor security practice by users or client demands that certain (what I consider unsafe) software be used. I have also found that warnings don't help, these clients and folks need to suffer through the consequences and still often wish to continue, unabated, on their insecure course.

So without further ado, I present here my philosophy.

Web site generalities

Today, few are the folks who do not use the web. A large number use it for entertainment, to look up information, to buy things, etc. A good number are impatient. Most just want a pleasant experience, and if a site doesn't impress them (worse if it actually is unpleasant to the eyes in some way), they will leave and not come back. So what makes a site that folks will return to? Why would you (or I) not stay or not return to a site?

A good website is all about aesthetics. It has to be visually pleasing, easy to navigate, and communicative (and this is a two-way street folks). That means that above all, content is important. But if that content (be it words or pictures) can't be seen or read or doesn't convey the appropriate information, it is less than worthless. Sites must present content, and in a readable fashion. I also don't want to hunt, but want information to be easy to find. Most importantly, I want to communicate back to the website owner, not just the webmaster. Providing a GPG key to send data in a secure fashion via e-mail would also be a nice touch, but not essential. What I don't want is to be forced to write a web page to communicate with them. Do you?

The next thing a site must do after having decent, informative content is present it in a pleasing manner. That is, it must be laid out in a simple fashion, not be overly or underly busy (although underdone is better than overdone), and it should be something most browsers will show. Color can set a tone. I've deliberately chosen red, white, and shades of blue. I could just as easily have shifted all the colors, or chosen a different style completely. Good web designers should understand how color affects the mood of visitors and choose accordingly. Just as elevator music is for elevators (imagine hearing hard rock blaring from elevator speakers), harsh, blaring colors are for harsh, blaring sites -- and will drive most folks away quickly. It's not just about graphics, but backgrounds and contrasts (or lack thereof) as well. Even a monochromatic gray site can be exciting if well done.

Finally, a decent design will also include enhancements. This is normally accomplished today with javascript. But since some folks (mostly those who've either disabled javascript for whatever reason or simply don't have it) can't process javascript, allowance should be made for them. In such cases, these enhancements should degrade gracefully. That is, nothing should be lost if javascript enhancements aren't available. Collapsing menus should be collapsed by javascript, but open otherwise. Animations should at least show an appropriate picture. But no content or styling should be lost just because someone doesn't have javascript.

Obnoxious or unsafe programs

Despite popular belief, javascript is not unsafe. It can be made to be obnoxious, opening windows and rearranging things in an annoying manner. But it's not unsafe. Javascript is just client side. It does everything in the client. This is good because it doesn't require constant communication (and long wait times during said communication) with the server, it can do its work locally. And used with AJAX (a way to load data to a web page without reloading the web page) can communicate information between the server and client in an efficient manner.

Another client side program a number of web designers have been sold on is called flash. I personally dislike flash, not for flash itself, but it has been turned into what drove most from javascript: annoying, intrusive, and just garbage entertainment. When I go to a website, I rarely go to be entertained, I go for information. I want to see what the company has, and be able to communicate with them if I find what I want. I don't want to have to load special programs (flash version.latest) to see the site. And unfortunately, those who are sold on flash usually drive me away because when I don't have flash, all I see is a big blank square with a "you need flash to view this site's contents" sign. No degradation, just nothing. Ok, no problem, I'm gone. They could at least find a way to degrade gracefully. And everything worth doing that can be done with flash can be done with javascript; and javascript is built into most modern web browsers. So why force me to load an extra program?

Server Side Silliness

On the server side, web designers have a lot of leeway. Personally, I don't want to put extra junk on my servers. So I use what is loaded anyway, mostly Perl. Adding PHP just adds to the headaches. While it is easier to write in (thus its popularity), I find several truths to be self-evident. The truth is that PHP versions don't play well together, and I don't need to be bitten again like I was with the PHP 3 to PHP 4 upgrade disaster. Nope, bite me once, shame on you, bite me twice -- won't happen. The second truth is that PHP itself is a security nightmare. If you want to have intruders in your web server, run PHP. I've had several breakins that could be traced back through PHP.

Most likely, it wasn't PHP itself, but since a large number of web designers adopt PHP because it's easy to write to, and these folks are not programmers, they are writing code and not trapping input; that is, they are writing buggy, insecure programs. While that can also be done in Perl, generally, those writing Perl programs have a little better background, and Perl has a way to "taint" inputs, disbelieving and not automatically doing something that would cause harm.

When I need a database, I tend to use a real database that is ACID. ACID stands for Atomicity, Consistency, Integrity, and Durability. This pretty much precludes MySQL (not ACID last time I looked, and I now don't want to switch databases midstream). Unfortunately, this is the staple for most web databases. OTOH, if you don't care about losing data, go for it. I personally don't want to run multiple databases. Makes for a maintenance nightmare. That said, I run PostgreSQL exclusively, but SQLite is also a good choice.


A good, tasteful, but well-presented page with content and a way to communicate with a company will do wonders to keep folks coming back. Enhancements using javascript that degrade gracefully (don't interfere with non-javascript browsers) are not only acceptable, but can increase the likelihood of folks' returning. Using sensible server-side tools and not following the myrmidom off the cliffs is also a desirable. After all, it's all about getting folks to stay when they come, and come back often.