Site Config is the central control panel for customizing everything about your platform - from branding and colors to checkout rules and tax providers. It is accessible to Super admins only from Admin > Site Config.
Who Can Edit
Only Super admins can access Site Config. Regular Admins cannot view or edit these settings. Certain fields (password protection, blocked IPs, code injection) are further restricted to Super-only visibility even within the form.
How It Works
The platform uses a two-tier configuration system:
System settings (hardcoded) - Infrastructure like domain names, blob storage prefixes, responsive breakpoints, and performance tuning. These require a code deployment to change.
Site settings (database) - Everything else. Editable by Super admins in the Manager. Changes apply immediately after saving.
When a setting is not yet configured in the database, the platform falls back to sensible defaults. This means your site works out of the box - you only need to configure what you want to customize.
For performance, the active configuration is cached (about five minutes). Saving from the Manager refreshes it instantly, so your changes appear right away. If the database is seeded or edited directly outside the Manager, the cache can briefly lag - an administrator can force an immediate refresh with the site:revalidate maintenance command.
Single-Site Model
The platform runs a single active site configuration - a singleton, looked up by a fixed system ID. The Site Config page shows that site's inline edit form at the top, with a full DataManager table below.
Earlier versions allowed multiple site records with a swappable main flag; that in-app switching has been removed. Future multi-tenancy will resolve the active site by hostname rather than by selecting a main record.
Basic Info
Site name - Appears in the browser tab, emails, footer, and SEO tags. Combined with the tagline for the homepage title.
Tagline - A short phrase shown alongside the site name in SEO (e.g., "Build Better Websites").
Description - The SEO meta description, limited to 160 characters for optimal search engine display.
Theme
The theme section controls the entire visual identity of the site.
Colors (Light & Dark Modes)
Each theme mode has its own full color palette. You can configure both independently:
Primary - Buttons, links, sidebar accents, and interactive elements.
Secondary - Active states, highlights, and hover accents.
Tertiary - Supplementary accent color for special UI elements.
Red / Green / Yellow / Blue - Semantic colors used for errors, success, warnings, and info throughout the UI.
Grey / Light grey - Used for borders, muted text, and subtle backgrounds. These swap between light and dark modes.
Background - The main page background color.
Font colors - Separate colors for headings, subheadings, body text, links, and text on solid-color buttons.
Typography
Fonts are fully configurable per text type - headings, subheadings, and paragraphs each have independent settings:
Font file - Upload a custom font file (WOFF, WOFF2, TTF, OTF) or use a CDN URL.
Font name - The font family name used in CSS.
Fallback - Comma-separated fallback font stack (e.g., "Arial, sans-serif").
Scale - A proportional multiplier (0.75 - 1.5) applied to all sizes of that text type. A scale of 1.0 uses the base sizes; 0.9 makes everything slightly smaller.
Letter spacing - Fine-tune spacing between characters (in em units).
Line height - Vertical spacing between lines of text.
Label scale - Controls form label size as a multiplier of paragraph size.
Borders
Three tiers of border radius and stroke width, each used consistently across the UI:
Radius (sm / md / lg) - Controls corner roundness. Small applies to form fields and badges, medium to buttons and cards, large to hero sections and modals.
Stroke (sm / md / lg) - Controls border thickness. Small for dividers and form fields, medium for buttons and focus rings, large for accent highlights.
Buttons
Padding scale (vertical / horizontal) - Multipliers (0.5 - 2.0) that proportionally adjust all button padding across the site.
Border stroke - Which stroke tier (sm/md/lg) buttons use.
Border radius - Which radius tier (sm/md/lg) buttons use.
Theme Settings
Use device theme - When enabled, the site detects the user's system preference (light/dark) and applies it automatically on first visit.
Show theme switch - Show or hide the light/dark mode toggle in the footer.
Logo
Light mode logo - The logo displayed when the site is in light mode.
Dark mode logo - A separate logo for dark mode, or use the same as light mode.
Favicon - The browser tab icon (.ico, .png, or .svg).
Header scale (0.5 - 2.0) - Controls the logo size in the header. 1.0 is the base size.
Footer scale (0.3 - 1.5) - Footer logo size as a percentage of the header size.
Margin scale (0 - 1.5) - Spacing around the logo. 0 removes extra margin.
Show site title - Display the site name text next to the logo.
Show in footer - Display the logo in the footer area.
Hover effects - Enable or disable logo hover animations.
Navigation
The navigation menu is fully configurable from Site Config without code changes.
Menu Links
Each menu item has these properties:
Name - The display label.
URL - Where the link goes.
Type - Controls how the link renders:
normal - Standard text link.
button - Rendered as a button (e.g., "Sign In").
avatar - Shows the user's avatar when logged in (e.g., "Dashboard").
nested - A dropdown with child links.
category - Auto-generates sub-links from a table's categories (articles, products, or pages).
Menu location - Choose where each link appears: header, footer, or both.
Permission - Restrict visibility by role: visitor (public), user, admin, or super. Empty means visible to everyone.
External - Mark as external link (opens in new tab).
Grouping only - Acts as a label/section header without being a clickable link.
Social Links
A flat list of social media URLs displayed as icons in the footer.
Emails
Admin - Receives critical alerts, new order notifications, and contact form submissions.
Dev - Receives error reports and technical notifications.
Support - The public-facing support email shown to users and used as the reply-to address.
No-reply - The sender address for automated emails (order confirmations, password resets, etc.).
Inventory - Receives low-stock and inventory-related alerts.
Locale
Language / Region - Used for localization and SEO (e.g., "en" / "US").
Currency - The store currency (USD, EUR, GBP, JPY, CAD, AUD, and others).
Timezone - Affects how timestamps are displayed across the platform.
Date format - Choose from MM/dd/yyyy, dd/MM/yyyy, yyyy-MM-dd, or dd.MM.yyyy.
Business address - City, state/region, country, and postal code. Used for tax calculations and legal display.
Area served - List of country codes your business serves. Affects shipping availability.
Hero / Slider
Controls the homepage hero carousel behavior:
Slide speed - Milliseconds between automatic slide transitions (default: 5000ms).
Pagination icon - Shape of the navigation dots (circle, square, or triangle).
Show arrows - Left/right navigation arrows.
Show dot nav - Pagination dots below the slider.
Show bottom shadow - Gradient overlay at the bottom of slides for text readability.
Notices
Three independent site-wide banner notices, each targeting a different audience:
System notice - Shown to all visitors (e.g., maintenance announcements).
User notice - Shown only to logged-in users.
Admin notice - Shown only to admin and super users.
Each notice has: active toggle, dismissable toggle, title, message, icon, background color, font color, and background opacity.
Checkout
Require login - When enabled, guests must create an account before completing checkout.
Condensed checkout - Skips the cart review step and goes straight to the checkout flow.
Order queue - Queues orders during traffic spikes to prevent overselling. Options: auto (activates at 10+ orders/2min or 20+/5min), on (always queue), or off.
Zero state - How free items are displayed: hidden (no price shown), zero (shows $0.00), or free (shows "Free").
Payment disclaimer - Optional text shown during checkout (e.g., refund policies, legal notices).
Show Company Name field - B2B: surfaces an optional Company Name input in the checkout's Order Contact section. Off by default. Saved on the order and surfaced in Stripe metadata for AP reconciliation.
Show PO Number field - B2B: surfaces an optional PO Number reference field in the checkout. The PO is stored on the order and printed on the receipt; it does not change the payment flow (billing info / card collection still happens normally) and works for both card and invoice purchases. Off by default.
Pay-by-Invoice (the Net-30 / B2B invoice flow) is configured under E-Commerce > Pay by Invoice. That section also owns the Invoice payment terms and Invoice CC email fields — they used to live here, but moved alongside the feature toggle so they're only visible when it's on.
The shipping/billing contact overrides (separate recipient name on the package, separate AP contact for billing) are always available at checkout when the relevant address differs from shipping — they don't require a Site Config flag, since they're zero-cost (collapsed behind a sub-checkbox) and useful for any seller. See Docs > Manager > E-Commerce > Checkout Flow for the full B2B field walkthrough.
Shipping
Service all markets - When enabled, accepts orders from any country. When disabled, only countries in your domestic and international lists are accepted.
Domestic rate - Flat shipping rate for domestic orders.
Domestic countries - Country codes considered domestic (e.g., ["US"]).
International rate - Flat shipping rate for international orders.
International countries - Allowed international shipping destinations (only used when "service all markets" is off).
Free shipping - Enable free shipping above a configurable order threshold.
Tax
Enabled - Master toggle for tax calculation.
Provider - Choose the tax calculation method:
stripe-tax (default) - Uses Stripe Tax via your existing STRIPE_SECRET_KEY. Configure tax registrations in the Stripe Dashboard.
static - Approximate state averages. Good for demos and unconfigured sites; not recommended for live commerce.
Business type - Affects tax categorization: physical goods, digital services, or mixed.
Enable fallback - If the configured provider fails, fall back to static rates instead of returning 0%.
Purchase Limits
Configurable rules that restrict purchasing behavior. Useful for limited-edition drops, preventing abuse, or enforcing compliance.
Enabled - Master toggle for all limit rules.
Guest identification - How to identify guests for limit enforcement: by email, by session, or both.
Enforce during cart - Check limits when items are added to cart (session-based).
Enforce during checkout - Check limits at checkout (email-based, more reliable).
Limit Rules
Up to 10 rules, each with:
Threshold - A max or min value that triggers the limit.
Factor - What's being measured: number of orders, total quantity, or currency amount. Scoped per-user or per-order.
Period - Time window: forever, day, week, month, or year. Can be rolling (last 30 days) or calendar-based (this month).
Example: "Max 2 orders per user per month" or "Max $500 per order."
Security
Allow sign up - Toggle whether new users can register accounts.
Breach & common-password screening - Reject passwords found in known data breaches (checked privately against HaveIBeenPwned - only a partial hash ever leaves the server) or on a bundled common-password list. Enforced everywhere a password is set: sign up, reset, change, onboarding, and admin-set. Aligns with NIST 800-63B / SOC 2 CC6.1. If the breach service is briefly unreachable, password changes are allowed through (the common-password list still applies).
Password protection - Gate the entire site behind a password. Configurable title, message, and button text for the access page. Super-only setting.
Blocked IPs - A list of IP addresses or CIDR ranges to block from accessing the site. Super-only setting.
Content
Controls for recommendation sections that appear on product and article pages:
Other products - Show/hide, title text, number of items (1-12), sort field, and sort direction.
Other articles - Same options for article recommendations.
Placeholders
Default fallback values used across the platform when no data exists:
Form fields - Default placeholder text for name, email, address, phone, city, state, and zip fields.
Images - Fallback images for missing avatars, product images, and hero banners.
Compliance (SOC 2)
Automated compliance tools for data backup and PII deletion. Both features are disabled by default and can be toggled on here.
Backup - Enable/disable automated backups, set cadence (hours between runs), retention period (days before old backups are deleted), toggle encryption, and exclude specific tables.
PII Deletion - Enable/disable automated PII cleanup, set cadence, and configure per-table rules specifying which tables to process, the strategy (anonymize or delete), retention period, trigger field, and optional status filters.
See the Compliance & Audit docs for a full walkthrough of how these features work together.
Code Injection
Inject custom CSS and scripts into every page on the site. Useful for analytics, chat widgets, tracking pixels, Instagram embeds, and visual tweaks that don't warrant a code change. All three fields support up to 50,000 characters.
Global CSS - Injected as a <style> tag in <head>. Styles here override the theme system. To test, paste the snippet below and look for a green badge in the bottom-right corner:
Header Scripts - Injected before </head>. Use for analytics (Google Analytics, GTM), chat widgets (Tidio, Crisp), or any script that needs to load early. Paste JS code or full <script> snippets — tags are auto-stripped for CSP nonce. To test, paste the snippet below and check browser DevTools (F12) > Console:
console.log("[codeInject] header script loaded");
Footer Scripts - Injected before </body>. Use for tracking pixels, deferred scripts, or anything that should load after page content. To test, paste and check Console:
console.log("[codeInject] footer script loaded");
<script> tags are automatically stripped — your code is wrapped in a <script> element with a CSP nonce for security. External script domains (e.g., cdn.tidio.co, googletagmanager.com) may need to be added to the CSP whitelist in proxy.ts by a developer. Remove test snippets after verifying.
