Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lightweight open source PHP content management system popular in the Russian and Belarusian web ecosystem, designed to deliver static pages with minimal cookies.
MaxSite CMS is a free open source PHP based content management system created by Maxim Donchenko, popular in Russian speaking web communities. It targets small to medium publishers and emphasises clean URLs, minimal database usage, fast page rendering and a small footprint of cookies set on the visitor browser. The platform is self hosted, which means the data controller is the site operator.
A vanilla MaxSite CMS install only sets a PHP session cookie (PHPSESSID) for logged in authors and editors, plus an optional CSRF cookie that protects forms from cross site request forgery. Anonymous visitors browse without any persistent identifier. No analytics, no advertising, no fingerprinting are bundled with the core CMS.
The PHP session cookie qualifies as strictly necessary under recital 66 of the ePrivacy Directive, so it can be set without prior consent. Visitor IP addresses are processed for security and routing purposes under legitimate interest (Art. 6(1)(f) GDPR). The compliance posture changes as soon as the operator activates plugins for analytics, advertising, social embeds or comments: those typically require consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because MaxSite CMS is self hosted, GDPR transfer rules apply to the chosen hosting provider rather than to the software itself. If the host is in Russia or another country without an adequacy decision, document the appropriate Article 46 GDPR transfer tools (Standard Contractual Clauses) and run a Transfer Impact Assessment.
Document the PHPSESSID cookie in your cookie register, configure session lifetime to the minimum needed, restrict admin access by IP, keep PHP and MaxSite up to date, list any third party plugin in the cookie policy, gate non essential plugins behind a CMP and provide a clear privacy notice in line with Article 13 GDPR.
Websites using MaxSite CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a vanilla MaxSite CMS install because no behavioural tracking takes place. A DPIA may be needed if the operator adds analytics, profiling, advertising or comment moderation plugins that process visitor identifiers.
Sample consent text
This site runs on MaxSite CMS. The CMS itself only uses strictly necessary session cookies. With your consent, optional analytics or comment plugins may set additional cookies.
Third-party domains contacted
max,3000.commaxsite.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first_party | Session | PHP session identifier used to keep authenticated authors logged into the MaxSite CMS admin area. |
| csrf_token | first_party | Session | CSRF token used to protect MaxSite admin and comment forms against cross site request forgery. |
| comment_author | first_party | 1 year | Optional cookie that remembers the visitor name and email when posting comments through a MaxSite plugin. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By default MaxSite CMS only sets a PHP session cookie (PHPSESSID) for authenticated authors and an optional CSRF token cookie. No tracking, advertising or analytics cookies are set by the core platform.
No prior consent is required for the core CMS, because the only cookies are strictly necessary under recital 66 of the ePrivacy Directive. Consent becomes required when optional analytics, comments, captcha or advertising plugins are activated.
Strictly necessary cookies and access logs rely on legitimate interest (Art. 6(1)(f) GDPR). Any plugin that places non essential cookies or processes behavioural data must rely on consent (Art. 6(1)(a)).
MaxSite CMS itself does not transfer data anywhere. Transfers depend on the hosting provider you choose and on plugins (Yandex.Metrica, Google Analytics, social embeds). Document the transfers per processor in your processing register.
Not for a vanilla install. A DPIA may be needed when you bolt on profiling, advertising, comment moderation or analytics plugins that process visitor identifiers at scale.
Keep core and plugins up to date, restrict admin access, configure session lifetime, document the PHPSESSID and CSRF cookies, gate optional plugins behind a CMP, sign DPAs with hosting and any plugin processors, and publish a clear privacy notice.
Other lightweight self hosted CMS options include WordPress (with privacy plugins), Grav, Bludit, Kirby, Statamic, Hugo (static), Eleventy (static) and Ghost. Each has its own cookie posture and ecosystem of trackers.
List PHPSESSID and any CSRF cookie as strictly necessary. Add every plugin cookie with name, purpose, retention and processor. Mention the hosting provider and the country of processing. Update the policy whenever you add or remove a plugin.