Day 2: Web Architecture, Security & UX Design

📊 View Lecture Slides

Full-screen presentation with navigation

Day 2: Web Architecture, Security & UX Design

Session Duration: 2 Hours

Phase: 1 — Foundation: Build & Protect

---

Learning Objectives

By the end of this session, students will be able to:

• Explain the three-layer model of traditional web infrastructure (domain, hosting, DNS)
• Contrast traditional self-hosted environments with managed cloud platforms like Google Sites
• Apply four core cybersecurity protocols to a digital business context
• Design a UX-led navigation structure and sitemap for their individual sandbox business
• Technically deploy a live Google Sites homepage with a functioning navigation menu

---

Hour 1: Strategy & Prompt Design (Instructor-Led — 60 minutes)

2.1 Traditional Web Architecture: How the Internet Actually Works

Before a business can participate in digital marketing, it needs a home on the internet. Understanding how that home is built — even at a high level — is what separates a digital marketing manager from someone who can only follow instructions.

The Three Layers of Web Infrastructure

Layer 1: The Domain Name

A domain name (e.g., gurkhatech.com) is your digital address. It is registered through a domain registrar (Namecheap, GoDaddy, Google Domains) for an annual fee. The domain itself does not host anything — it is only a pointer.

• Top-Level Domain (TLD): .com, .np, .edu, .org — signals the nature or location of the business
• Subdomain: blog.gurkhatech.com, shop.gurkhatech.com — extensions of a root domain used to separate functional areas

Layer 2: Web Hosting

Hosting is where your website’s actual files live — the HTML, CSS, images, and database. When a visitor enters your domain, their browser sends a request to your hosting server, which sends back the files that render as a webpage.

Common hosting types:

Hosting Type	Description	Best For
Shared Hosting	Multiple sites share one server	Small blogs, personal sites
VPS (Virtual Private Server)	Dedicated portion of a server	Growing SMBs, high-traffic sites
Cloud Hosting	Scalable, distributed infrastructure (AWS, Google Cloud)	Enterprise, e-commerce
Managed Platform	No server to manage; provider handles everything (Wix, Squarespace, Google Sites)	Beginners, rapid deployment

Layer 3: DNS Routing (Domain Name System)

DNS is the phone book of the internet. When you type gurkhatech.com, your browser queries a DNS server to find the IP address of the hosting server where the files live. This lookup happens in milliseconds and is invisible to the end user.

Key DNS records:

• A Record: Points a domain to an IP address (the server)
• CNAME Record: Points a subdomain to another domain (e.g., www → root domain)
• MX Record: Directs email to the correct mail server

Manager’s takeaway: You do not need to configure DNS yourself, but you need to understand it well enough to brief a developer or diagnose why a newly purchased domain isn’t showing the right site.

---

2.2 Traditional vs. Managed Cloud: The Practical Trade-Off

Factor	Traditional (Self-Hosted)	Managed Platform (Google Sites)
Setup Time	Hours to days	Minutes
Technical Skill Required	Medium–High	Low
Monthly Cost	NPR 500–5,000+ (hosting + domain)	Free (with Google account)
Customisation	Complete	Limited
Security Responsibility	Owner + host	Platform handles
Best Used For	Scalable, branded businesses	MVPs, internal tools, course labs

For this course: Google Sites is our sandbox environment because it removes all infrastructure barriers. You launch a real, live, publicly accessible website on Day 2 — without configuring a server, without spending money, and without a developer. The strategic concepts apply identically to a custom-hosted site.

---

2.3 Core Cybersecurity Protocols for Digital Businesses

Cybersecurity is not an IT department concern — it is a management concern. A data breach, a phishing attack, or an account takeover can destroy years of customer trust in a matter of hours.

Protocol 1: SSL/TLS — The HTTPS Lock

SSL (Secure Sockets Layer) / TLS (Transport Layer Security) encrypts data transmitted between a user’s browser and your server, preventing interception by third parties.

Why it matters for marketing:

• Google explicitly uses HTTPS as a ranking signal. HTTP sites rank lower.
• Chrome marks HTTP sites as “Not Secure” — a visible trust signal that directly harms conversion rates.
• Payment processors (Stripe, eSewa) require HTTPS to function.

Status check: Every page of your website should show a padlock icon in the browser address bar. If it doesn’t, your host is not providing SSL — switch or configure it.

Protocol 2: Access Management & The Principle of Least Privilege

Every account — hosting panel, domain registrar, Google Workspace, social media — should be accessed by only the people who absolutely need it, with only the permissions they need.

Common violations:

• Sharing admin login credentials with freelancers instead of creating limited user accounts
• Never removing a former employee’s access after they leave
• Using the same password across multiple platforms

Fix: Use Google Workspace or similar platforms to create role-based accounts. Use a password manager (Bitwarden, 1Password) for all business credentials.

Protocol 3: Two-Factor Authentication (2FA)

2FA adds a second verification step beyond the password — typically a time-sensitive code sent to a phone or generated by an authenticator app (Google Authenticator, Authy).

Accounts that must have 2FA enabled:

• Domain registrar (a compromised registrar account = someone can steal your domain)
• Google Workspace / Gmail
• All social media business pages
• Any platform with payment information stored

Protocol 4: Brute Force Prevention

Brute force attacks use automated tools to guess passwords by trying thousands of combinations per second. For self-hosted sites (WordPress, etc.), this is mitigated by:

• Limiting login attempts (lockout after 5 failed tries)
• Using a Web Application Firewall (Cloudflare — free tier available)
• Choosing non-default login URLs (changing /wp-admin to a custom path)

Google Sites note: Google’s infrastructure handles this for you — one advantage of managed platforms.

---

2.4 UX Design: Navigation Architecture & Wireframing

UX (User Experience) design is the discipline of structuring a digital environment so that users can achieve their goals with minimum friction and maximum clarity.

The Three-Click Rule (Revised)

The original rule — “every page should be reachable in 3 clicks or fewer” — has been updated by modern UX research to a more nuanced principle: users should never feel lost or uncertain about how to reach what they need. This means:

1. Clear primary navigation (max 5–6 top-level items)
2. Logical page hierarchy (categories → sub-pages, not a flat list of 20 pages)
3. Consistent global navigation (same menu on every page)

Designing Your Sitemap

A sitemap is a hierarchical map of every page on your website and how they connect. It is created before building the site to prevent structural decisions made in the builder from driving what should be a strategic information architecture decision.

Standard sitemap for a service business:

HOME
├── About
│   └── Team (optional)
├── Services
│   ├── Service 1
│   ├── Service 2
│   └── Service 3
├── Portfolio / Case Studies (optional)
├── Blog / Resources
└── Contact

Standard sitemap for a product business:

HOME
├── Shop
│   ├── Category 1
│   └── Category 2
├── About
├── Blog
└── Contact / Support

Navigation Principles for Google Sites

• Limit top-level navigation to 5 items maximum — each additional item reduces attention on all others
• Use descriptive labels, not clever ones — “Services” beats “What We Do” for clarity and SEO
• Include a CTA in the header — a “Contact Us” or “Book a Call” button in the top-right corner of every page is the single highest-value conversion element on any site
• Footer navigation — repeat key links (About, Contact, Privacy Policy) in the footer for users who scroll to the bottom before deciding

---

Hour 2: Digital Sandbox Lab (Individual Execution — 60 minutes)

The AI Prompting Framework: The Lead Systems Architect Prompt

This prompt positions AI as a systems architect to generate two critical outputs: a structural sitemap for your specific business and a launch compliance checklist that covers security, UX, and technical hygiene.

The Full Prompt Template

You are a Lead Systems Architect and UX Strategist with expertise
in web infrastructure design and digital business launch planning.

My business is: [paste your business idea from Day 1 homework]
My target customer is: [paste customer description from Day 1]
My primary business goal online is: [e.g., capture leads / sell products / build authority]
The pages I think I need: [list any pages you already have in mind]

I need you to produce two outputs:

OUTPUT 1: STRUCTURAL SITEMAP
Design a complete sitemap for my business website that:
- Has a maximum of 5 top-level navigation items
- Is structured logically from the customer's journey perspective
  (not from my internal business structure)
- Includes a purpose statement for each page (1 sentence:
  what this page does for the visitor)
- Recommends which page should be the primary conversion point
  (where leads or sales happen) and why
- Suggests one optional "cornerstone content" page that would
  build long-term SEO authority

Format as an indented tree structure with page names and
1-sentence purpose statements.

OUTPUT 2: LAUNCH COMPLIANCE CHECKLIST
Generate a 15-point pre-launch checklist covering:
- Security (4 items: SSL, 2FA, access management, backup)
- UX & Navigation (4 items: navigation clarity, mobile
  responsiveness, page load, CTA placement)
- Content Essentials (4 items: value proposition, contact
  information, privacy policy, social proof placeholder)
- Technical SEO Basics (3 items: page titles, meta descriptions,
  image alt text)

For each checklist item: name the check, explain why it matters
in one sentence, and mark it as [GOOGLE SITES: AUTO] if Google
Sites handles it automatically or [ACTION REQUIRED] if the
student must do it manually.

How to Refine the Output

1. Review the sitemap critically: does it reflect how your customer would navigate, or how you think about your business?
2. For the compliance checklist: complete every [ACTION REQUIRED] item before the end of Day 2
3. If the sitemap feels incomplete, follow up: “Add one more level of detail to the Services section, showing 3 specific service sub-pages with purpose statements”

---

Step-by-Step Lab Instructions

⚙️ Setup (5 minutes)

1. Open your AI tool in a fresh conversation
2. Review your Day 1 homework — have your business idea clearly written
3. Open Google Sites: sites.google.com — sign in with your Google account
4. Create a new blank site. Name it: [Your Business Name] — Sandbox

🤖 Part 1: Run the Lead Systems Architect Prompt (15 minutes)

1. Fill in the prompt template with your specific business details from homework
2. Save the sitemap output to a new Google Doc: [Business Name] — Web Architecture Blueprint
3. Save the compliance checklist output to the same document
4. Review the sitemap: mark any pages you want to adjust or rename

🌐 Part 2: Deploy Your Google Sites Homepage (30 minutes)

Work through these steps in order:

1. Set your site name and header
   • Site title = your business name
   • Header type: Cover (full-width image header)
   • Add a headline from your Day 1 brand positioning
2. Build your primary navigation
   • Add pages matching your AI-generated sitemap (top-level items only for now)
   • Reorder pages to match the customer journey logic from the sitemap
3. Build your homepage hero section
   • Add a text box with your business name as H1
   • Add a sub-headline (1–2 sentences from your brand blueprint)
   • Add a button: label it your primary CTA (e.g., “Contact Us”, “Shop Now”, “Learn More”)
   • Add a placeholder image or colour block as visual background
4. Add a brief “About” section to the homepage
   • 2–3 sentences introducing who you serve and what problem you solve
   • Source this from Day 1’s brand blueprint
5. Add a footer
   • Your contact email
   • Links to key pages
   • A placeholder for social media links

✅ Part 3: Launch Compliance Check (10 minutes)

1. Run through your AI-generated compliance checklist
2. Complete all [ACTION REQUIRED] items
3. Click “Publish” in Google Sites — set visibility to “Anyone with the link”
4. Copy your published URL and add it to your Google Doc: [Business Name] — Web Architecture Blueprint

---

Templates & Worksheets

Template 1: Web Architecture Blueprint Map

WEB ARCHITECTURE BLUEPRINT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Business Name: ___________________________
Google Sites URL (published): ____________
Date Launched: __________________________

SITEMAP
(Transfer from AI output — indented tree format)

HOME
  Purpose: ________________________________
├── [Page 1]: _____________________________
│     Purpose: ____________________________
├── [Page 2]: _____________________________
│     Purpose: ____________________________
│   └── [Sub-page 2a]: ____________________
│         Purpose: _________________________
├── [Page 3]: _____________________________
│     Purpose: ____________________________
├── [Page 4]: _____________________________
│     Purpose: ____________________________
└── [Page 5]: _____________________________
      Purpose: ____________________________

PRIMARY CONVERSION PAGE: _________________
Reason: _________________________________

CORNERSTONE CONTENT PAGE: _______________
Topic: _________________________________

NAVIGATION DECISIONS
Top-level items (max 5):
1. ___________  2. ___________  3. ___________
4. ___________  5. ___________

Primary CTA button text: _________________
CTA destination page: ___________________
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Template 2: Google Sites Launch Checklist

GOOGLE SITES LAUNCH CHECKLIST
Business: ___________________________
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECURITY
[ ] HTTPS enabled                    [GOOGLE SITES: AUTO]
[ ] Google Account 2FA active        [ACTION REQUIRED]
[ ] Site sharing permissions set     [ACTION REQUIRED]
[ ] No sensitive data on public pages[ACTION REQUIRED]

UX & NAVIGATION
[ ] Navigation ≤5 top-level items    [ACTION REQUIRED]
[ ] Mobile view tested               [ACTION REQUIRED]
[ ] CTA button visible on homepage   [ACTION REQUIRED]
[ ] All navigation links functional  [ACTION REQUIRED]

CONTENT ESSENTIALS
[ ] Homepage headline is clear       [ACTION REQUIRED]
[ ] Contact info visible             [ACTION REQUIRED]
[ ] Privacy Policy page added        [ACTION REQUIRED]
[ ] Social proof placeholder ready   [ACTION REQUIRED]

TECHNICAL SEO BASICS
[ ] Page titles set (all pages)      [ACTION REQUIRED]
[ ] Homepage meta description added  [ACTION REQUIRED]
[ ] Images have descriptive names    [ACTION REQUIRED]

LAUNCH STATUS
[ ] Site published (public URL)      [ACTION REQUIRED]
Published URL: __________________________
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Template 3: Web Security Checklist

WEB SECURITY & COMPLIANCE CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Business: _______________________________
Industry: _______________________________

TECHNICAL SECURITY
[ ] SSL Certificate installed and active
[ ] Login attempt limiting configured (max 5 attempts)
[ ] Two-factor authentication on all admin accounts
[ ] Regular automated backups scheduled (daily/weekly)
[ ] Malware scanning tool active

ACCESS MANAGEMENT
[ ] Admin access list reviewed — only essential users
[ ] Separate user accounts (no shared passwords)
[ ] Former team member access revoked immediately on exit
[ ] Principle of Least Privilege applied to all roles

LEGAL & COMPLIANCE (tick what applies to your industry)
[ ] Privacy Policy published (required if collecting any data)
[ ] Terms & Conditions page active
[ ] Cookie consent banner (if serving EU/UK customers)
[ ] GDPR compliance (if collecting EU customer data)
[ ] Payment Card Industry (PCI-DSS) compliance (if processing cards)
[ ] Industry-specific regulation: ____________________
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

---

Resources & Further Reading

🛠️ Tools Required Today

Tool	Purpose	Cost
ChatGPT / Claude.ai	Lead Systems Architect Prompt	Free
Google Sites	Live website deployment	Free
Google Docs	Blueprint documentation	Free
Cloudflare (for traditional sites)	DNS management + free SSL	Free
Google PageSpeed Insights	Page performance testing	Free

📚 Reference Reading

• Steve Krug — Don’t Make Me Think — The definitive UX book. Chapters 1–4 cover navigation architecture directly.
• Nielsen Norman Group — Web UX Guidelines — nngroup.com — The world’s leading UX research body, extensive free articles
• Google Sites Help Centre — support.google.com/sites — Official documentation
• Troy Hunt — HTTPS is Easy — troyhunt.com — Accessible explanation of SSL/TLS for non-technical readers

🔐 Security Resources

• Have I Been Pwned — haveibeenpwned.com — Check if your email has been in a data breach
• Bitwarden — bitwarden.com — Free, open-source password manager
• Google Workspace Security Checklist — workspace.google.com/security

---

Key Takeaways

1. Architecture Before Aesthetics — Sitemap and navigation structure should be strategic decisions, not afterthoughts made in a website builder.
2. Traditional vs. Managed is a Trade-Off, Not a Hierarchy — Google Sites is not inferior to WordPress; it is the right tool for specific use cases, including rapid deployment and learning environments.
3. Security is a Marketing Issue — HTTPS, 2FA, and access control directly affect customer trust and search engine rankings.
4. UX is Empathy in Practice — Great navigation is built from the customer’s mental model, not the business owner’s internal structure.
5. You Built Something Real Today — A live, publicly accessible website is a meaningful asset, even in its initial state. Every day’s sandbox work now has a real home.

---

_Previous: Day 1 – The Digital Home Base ←

Next: Day 3 – Offer Architecture & Copywriting Frameworks →_