Recommended Server Settings

Websites based on Publii don't require much to function correctly; in fact, any server that can host HTML files will handle the basics. However, to provide your visitors with a safe, user-friendly site experience, some factors are essential to bear in mind when deciding which type of server you want to use to host your site.

Key considerations for hosting a Publii website

Not all servers will be configured to handle directories, causing them to be unable to display the index.html file immediately on load. To protect from this issue, we recommend enabling the Always add index.html option in the URLs section of the Site Settings, which are available via the main menu in the left-sidebar of the Publii interface.
The FTP protocol may be simple to use and is certainly supported by Publii, but it is generally recommended to avoid using this protocol as it sends data without encryption, opening up more opportunities for hackers to gain access to your server. Instead, at a minimum we recommend using the FTPS protocol, which works exactly the same as regular FTP, but it also encrypts the server access data for additional protection. Users should go one step further and utilize the SFTP protocol, which encrypts all traffic (connection, file transfer) to the server for maximum protection.

Publii does not generate empty index.html files for directories, as this would often lead to several additional files being uploaded to the server. Therefore, we recommend using a hosting (deployment method) that includes an option to disable directory listing or, alternatively, allows users to disable it manually, for example, via the .htaccess file.

The following table shows how the different deployment methods handle the directory listing.

Deployment method	Built-in option
FTP	depends on the server configuration (can be disabled via the .htaccess file)
SFTP	depends on the server configuration (can be disabled via the .htaccess file)
GitHub	disabled by default - returns 404 error page
GitLab	disabled by default - returns 404 error page
Netlify	disabled by default - returns 404 error page
Google Cloud	-
Amazon S3	required creating a bucket policy
Manual deployment	depends on the available settings of the destination server

To improve the site experience for your visitors and ensure their security, we strongly recommend using SSL (Secure Sockets Layer) on your website, which will encrypt the traffic between the visitor's web browser and your site's server. This will also have a secondary benefit to your site traffic, as some browsers block pages without an SSL certificate and warns visitors that your site may be dangerous, regardless of the actual content of the site.

With these points in mind, you can be sure that your and your visitors' data will be safer and more secure than before.

Protecting the files.publii.json File

Starting from Publii 0.46, the synchronization process has been enhanced with a new approach that uses individual checksums for each file in your site, stored in the files.publii.json file. This change improves the accuracy of detecting modified files and streamlines the syncing process.

Previously, a single checksum was generated for the entire site, which could result in unnecessary file uploads during synchronization if even one file changed. The new method ensures a more efficient workflow by:

Tracking Each File Separately: The files.publii.json file now contains a complete list of all site files, each paired with its unique checksum. This allows precise identification of which files have been updated.
Reducing Upload Times: By comparing the checksums in the local and server versions of the files.publii.json file, Publii only uploads files that have actually been modified, saving time and resources.
Increasing Reliability: The move from a single-site checksum to per-file checksums reduces errors during sync and improves overall consistency in deployments.

Why Hide or Protect this File?

The files.publii.json file contains information about all the files uploaded to your site using Publii. Generally, these files are already publicly accessible, as they form the visible content of your website. However, if you prefer not to expose the structure or detailed metadata of your site's files for any reason, you can take steps to restrict access to this file.

You can achieve this by:

Redirecting Access
Set up a redirect so any request to files.publii.json is redirected to another page, such as your homepage.
Example (Apache):
```
Redirect 301 /files.publii.json /
```
Blocking Access Directly
Prevent access to the file entirely by configuring server rules, such as with .htaccess directives.
Example (Apache):
```
<Files "files.publii.json">
    Require all denied
</Files>
```

By taking these steps, you can ensure that the files.publii.json file remains protected while still benefiting from Publii's improved syncing system.

Important: When the new checksum system is enabled for the first time, all files will be re-uploaded during the initial sync. This is a one-time occurrence; future synchronizations will only upload changed files.