A client with a staging site just raised concern that their site could be crawled. (It would require a crawler to go looking for their domain, but if a crawler somehow stumbled on a link to the site, then the site could be crawled.)
The solutions for this, of course, are to turn on
login_required, but this would require remembering to reset them every time a backup from the production site is restored to the staging site.
Neither of these settings is
shadowed by global.
Solutions that I have right now are to have
site_settings.yml to add
shadowed_by_global to one of those variables or to create a plugin that sets them.
Am I missing something?