» Fig Leaf Software Home

We've Got You Covered.

Tuesday, August 30, 2016

Fun with HTTP Strict Transport Security!

At the moment I write this, something odd is happening with the US Senate site (if you view it in Chrome at least). If you go to http://www.senate.gov/, you will see the home page.

But, if you go to https://www.senate.gov/, you will see an error message telling you that HTTPS isn't working, and a link to go back to HTTP instead.

Clicking the link - which does actually point to HTTP instead of HTTPS - will, however, cause the browser to re-request https://www.senate.gov/, which of course you can't get to because of the error. So, your next diagnostic step might be to close your browser and reopen it, then explicitly enter http://www.senate.gov/. This will cause your browser to AGAIN request https://www.senate.gov/ instead of http://www.senate.gov/. What gives?

The cause of this behavior is something called HTTP Strict Transport Security, or HSTS. I ran into a problem with HSTS a few months back, but the problem was on an internal site that I couldn't share in a blog post.

Basically, HSTS tells browsers to ONLY use HTTPS for some period of time after the first HTTPS request. The initial HTTPS response will include a response header called, appropriately enough, Strict-Transport-Security. This header will contain a max-age value in seconds, and for the duration of that time, the browser will only send HTTPS requests to the server. Any HTTP links in documents from that server will automatically be treated as if they were HTTPS requests. The odd thing here, arguably, is that the response header can actually be sent back with an HTTP response, and will have no effect until an HTTPS request is made, at which point all subsequent requests must be HTTPS until the time has elapsed. This time period may be quite long - in the screenshot below, it's one hundred and eighty days!

Another feature used to enforce HTTPS usage is called Upgrade Insecure Requests. This is often used with HSTS. It's a Content Security Policy that servers can ask browsers to use in their initial HTTP response headers, or that browsers can use without prompting. If a browser supports it, it'll send a corresponding HTTP request header:

Upgrade-Insecure-Requests: 1

This will allow the server to serve an HTTPS alternative if one exists. Modern versions of Chrome and Firefox do this for every page request, but Microsoft Edge does not. Here's a screenshot showing the server Content-Security-Policy directive and Strict-Transport-Security response headers, and the Upgrade-Insecure-Requests request header.

Each of these is a good and valuable feature for improving HTTPS security, but together they can cause some odd problems. The problem I ran into, specifically, was a combination of issues. Note the attributes of Strict Transport Security in the previous screenshot. Not only is there an age, but also an "includeSubdomains" directive.

Let's say you have http://someapp.domain.com/. And on that site, you include a CSS file that's used by the "main" site http://domain.com/. This is a pretty common practice. Now, let's say that HTTPS is enabled on domain.com. If you use Chrome or Firefox, they will read the HTTP URL from the default document on someapp.domain.com, then send an HTTP request for that URL to domain.com - along with the Upgrade-Insecure-Requests header. That server will then redirect the browser to the HTTPS version of that URL, and send back the Strict-Transport-Security response header.

On your next page request to http://someapp.domain.com/, Chrome or Firefox will then automatically request https://someapp.domain.com/ instead! This will cause a problem if you don't actually have a TLS certificate installed on your server. You can address this by (a) adding a valid, signed TLS certificate to your server, or (b) removing requests to external servers that support HTTPS within the same domain.

If you use HTTPS everywhere, which is strongly recommended, you won't have this problem. Until then, be careful!

[Note: cross-posted on Dave Watts' personal blog]

Monday, July 18, 2016

5 Reasons to Attend Drupal GovCon 2016

Drupal GovCon takes place at the NIH campus from July 20-22 and you’re invited to attend!

Drupal, an open source content management system (CMS), is known for its collaborative online community. From designers and developers, to agencies and organizations, Drupal has prided itself for years on its community and its content.

With the launch of Drupal 8, there are new “tricks of the trade,” and more than 200 new features and improvements. DrupalGovCon brings together government employees and system integrators (like Fig Leaf Software) to gather together for three days of free Drupal training and networking.

If you find yourself in one of those categories, even if you don’t currently use Drupal, you’ll want to attend Drupal GovCon 2016 at NIH. Here are five reasons why:

5. It’s Close (if you are a government employee based in the DC Metro area)

This year’s Drupal GovCon is at the Natcher Conference Center at National Institute of Health in Bethesda, MD. Not only are most federal agencies located in the Washington DC metropolitan area, but so are many digital agencies, solution integrators and government web designers and web developers. The NIH is just a quick trip on the DC Metro Red Line to Medical Center Station. So even if you can’t participate every day the whole conference, or even a full day, it’s still accessible and you can take advantage of a handful of sessions.

4. It’s Free

That’s right -- totally free. Tickets to attend the events, including keynote speeches and seminars, are all free, but registration is still required. The only cost for the event would be transportation and parking, if you choose to drive, but the GovCon team strongly recommends taking the metro. It’ll save you $12 per day and a car security inspection.

Note that pre-conference training sessions start on Tuesday, July 19th and will be held off-site at the Bethesda, Maryland Doubletree Hotel. Fig Leaf will be teaching the Ready, Set, Drupal 8 for web developers, designers, project managers or agency executives seeking to understand how to get started with Drupal 8.

3. It Will Challenge You

Drupal GovCon is three days straight of trainings, seminars and keynote speeches. In addition to providing practical solutions to technical questions regarding Drupal, speakers will also challenge you to think outside the box and dream about what you and your agency could accomplish with the new Drupal 8.

With 11 45-minute seminar periods, and about 7 seminar options per period, there are countless options for varied experience levels to learn and develop new, pertinent skills.

The seminars discuss a variety of Drupal issues that impact government agencies like:
  • Take Charge of Your Events with UniCal
  • Oh Yeah!! The Story of a Drupal 7 to 8 migration
  • Living Style Guide Based Workflow
  • Integrating 3rd Party APIs with Drupal
  • Beheading Drupal: Speedy Interfaces with RESTful api and JS
  • Hey Wouldn’t it Be Cool If…

On the conference schedule site, you can even choose seminars based on your area of expertise, like Site Building, Business and Strategy, Training or more.

Even if you aren’t currently using Drupal, there are opportunities to learn more about content management and development and to push the envelope for better content delivery.

2. It’s got the Best of the Best

In addition to the seasoned and experienced seminar speakers, this year’s keynote speakers are some of the best in the industry. In addition to the Senior Web Designer and Senior Consultant for the NIH Drupal implementation team, the conference also welcomes Allyson Kapin and Laura Bell.

Kapin was named one of the “Most Influential Women in Tech” by Fast Company and co-founded the RAD Campaign, a digital web agency that assists nonprofits with web design and development. Kapin also founded Women Who Tech and started the Women Startup Challenge in 2016.

Bell is a renowned speaker from New Zealand with almost a decade of development experiences, specializing in security. Bell is the founder and lead consultant at SafeStack Limited, which supports agencies in developing security features and applications.  

1. It Will Connect You

That’s what Drupal is known for. It’s a large, open source community that collaborates to create CMS with excellence. And this is one of the largest annual Drupal gatherings offered, specifically tailored for government. Drupal GovCon has several networking events where developers and agency representatives can meet and collaborate over new initiatives. And you actually get to interact with people in your industry, people who most likely understand the struggles that you endure day-to-day with your projects. Working with Drupal, while very rewarding, can get lonely and frustrating -- but finding people who understand and have fought some of the same frustrations can help.

Want to attend Drupal GovCon? Register here.

Fig Leaf Software be there too! We're a sponsor again this year and we look forward to learning about your agency's Drupal projects, discussing how we can support your Drupal site, train your web team, or help you launch a new Drupal site on Acquia or AWS GovCloud.

Can't attend but want Drupal 8 training? Signup for free Drupal 8 training or any of Fig Leaf's paid one or two day Drupal 8 training classes at http://training.figleaf.com/Courses/drupal8.cfm

Wednesday, January 27, 2016

7 Ways to Engage Current Students through Social Media

Once you’ve gotten students to your university, you may think you’re in the clear. However, 1 in 3 students choose to transfer at least once during their time in college, according to the National Student Clearinghouse Research Center. That means you need to be active in the process of making your students proud to be there.

In addition, if you don’t engage your current students, you could be missing your greatest opportunity to bring in prospective students. Peers still play a big role in the college decision process, according to research by the Association for Supervision and Curriculum Development. So you’re not just increasing loyalty of your current students, but you could be creating a new trend among their younger friends.

With tactical social media content and strong loyalty from current students, you could even draw the 1 in 3 students that choose to transfer from another university! (For more ways to reach prospective students, check out “5 Ways to Attract Prospective Students through Social Media”).

Here are 7 ways to engage your current students:  

1. Share Interesting News
In the digital age, there is so much vying for your current students’ attention. The good news is that they’ll want to read your stuff because you are a trusted source -- these students already have a vested interest in what’s new at your school.

So how do you rise to the top? The same way that journalists do -- by using news values. It’s what makes your content interesting. It should contain elements of the Impact, Timeliness, Prominence, Proximity, Oddity, Human Interest and/or Conflict.

Like it or not, social media is a type of journalism. However, now you are the gatekeeper of the information that is shared. But your students aren’t going to read your posts if they aren’t interesting.

Since this is the foundational principle, I will share how it influences the other 6 tips.  

2. Talk about Famous People
As previously stated, talking about famous people (or prominence) is always a good way to get social engagement (i.e. likes, retweets, favorites, comments). People like to be associated with any type of celebrity and they’ll share about it, in person and through social media.

So, if you have famous alumni or special guests visiting your university, milk it for what it’s worth. Write a story, interview the guest/alumnus and promote it on social media! This will create great engagement with your students and it will create the kind of buzz you’re looking for.

Check out what the University of Wisconsin-Madison did to leverage Katie Couric’s birthday:

Screen Shot 2016-01-15 at 8.13.27 PM.png

Couric wasn’t even a graduate from Wisconsin, but they leveraged this photo from graduation and got 2,577 likes and 38 shares -- it’s tough to beat that engagement!

Download the free social media prospecting workbook

3. Share Students’ Content
The average college student spends 8-10 hours on his/her phone, according to a study from Baylor University. Much of this time is spent on social media, Facebook being the second most recorded task behind texting.

One of the main reasons students check social media is to see if anyone has interacted with them. It’s a big deal -- so how much more so if they get a notification from their university?

If you retweet a student’s tweet, or share a student’s Instagram photo, it will likely impact their day and they will tell their friends. There’s that social influence again.

Check out how George Mason University has done this with some of its students.

By retweeting Bridget’s tweet, GMU is positively affirming her social connection with the university, and she’ll be more likely to incorporate her university into more of her tweets.  

4. Use Social Media as a Link
Social media is a natural connector. It’s connects your university with your current students, prospective students, former students and potential investors.

But it’s not just a social connector -- it’s a tech connector. You can use social media as a dynamic marketplace of ideas: news stories, updates and happenings. It’s where web content can be pumped in and potential website visitors can be pumped out.

When you use social media as a link and not just an individual platform, then you maximize its utility for resourcing your current students with information and bringing in more consumers of your web content.

Check out the way that the University of California Berkeley used social media as a link, sharing the same story across multiple platforms.

UC Berkeley tweets out their original content on alumni who are doing great things in the area. They are employing news values of interest to students (proximity, human interest) in order to garner new consumers for its news stories.
Here’s the original story on the website. The social sharing icons below the story allow it to be organically shared on social media by interested readers, allowing current readers to market to potential readers from their social circles.

5. Capitalize on Sports’ Success
As interesting as news stories and famous people might be, nothing seems to capture the attention of college students like sports success.

On the one hand, college students are young, active and probably interested in sports themselves. But something happens in college athletics that turns ordinary fans into obsessed fanatics, according to Eric Simons author of The Secret Lives of Sports Fans.

Simons writes that there is a physiological science that affects the affinity of students and makes them physically and emotionally attached to their team. This creates a strong bond that is not easily broken. And you can capitalize on this strong bond by sharing and celebrating the successes of your sports teams.

See the way that Texas Christian University and the University of Virginia leverage their sports teams for social media success.

This TCU tweet capitalized on timeliness (tweeted in January), proximity and prominence. You can tell by the engagement (167 favorites, 44 retweets) how successful it was.


UVA used human interest by capitalizing on Brogdon’s success and his prominence through his interview with ESPN. Students want to be connected to someone like this and they’ll retweet it to show their support -- 64 times that is!

6. Use Social Campaigns & Trending Hashtags
Another way to drum up interactions and engagements with your current students is to use campaigns and trending hashtags. This allows your students to take part in something bigger than themselves and to buy into the vision that you have created.  Thus, you are able to organically create buzz surrounding your school by launching a platform for students to share and communicate about their experience.

Check out this campaign from the University of Maryland: #UMDinspires.

By changing their cover photo, they’ve informed their current students about the campaign #UMDinspires and integrated the goals and engagement across platforms.

Maryland is able to share its commitment to diversity and diverse student body through the lens of the campaign, inviting students to share their excitement for this, or other aspects of the university that inspire them.

7. Use Humor
At the end of the day, your current students want to have fun and that’s why they’re on social media. If you’re always gloating or sharing statistics, they’re going to tune out. You need to be professional and strategic, but if you neglect the entertainment piece than your efforts will reach a ceiling of engagement.

Check out how University of California Los Angeles balances humor, natural language and professionalism here:

UCLA capitalizes on its sports success and tries to engage the entertainment culture so prevalent amongst college students with this humorous, fitting video.

UCLA makes the best of a bad situation, combining oddity with humor in this tweet.

Download the free social media prospecting workbook

Thursday, December 17, 2015

5 Ways to Attract Prospective Students through Social Media

You believe in your school -- that’s why you work there. You just wish that you could get prospective students to see what you see. That’s where social media comes in. You get to entertain them, engage them on their turf and paint the picture for the school that you know and love. These five best practices will help prospective students see what you see.

1) Know Your Audience

Screen Shot 2015-12-08 at 5.47.38 PM.pngYou’re reaching people, not robots. These people have real stories and they’re going to be more attracted to their interests, not yours. This will take some thorough research from your school’s admissions history. Where are your students from? What are the most popular majors? What sorts of things do they like to do? Why did they choose your university? Once you’ve established some key characteristics, create a few prospective student personas -- these are profiles designed to help you put a face to the students you’re trying to reach. Take some time to read up on social media habits of your target audience. This will help you gear where to place your content. According to the Pew Research article “Teens, Social Media & Technology Overview 2015”, your best bet is to use Facebook or Instagram to reach your prospective students.

2) Make Content Purposeful

It’s gotta be fun, of course. But if there isn’t a purpose to it, why post it? According to US News and World Report, the biggest reasons why prospective students land on a college is for reputation, job prospects upon graduation and financial feasibility.

Harvard Insta Purpose.png
Harvard Engaging Students via Instagram
So don’t just post fluff. Teens can go anywhere online for that. But they’re going to follow or engage with you because you can create content with a purpose without sacrificing entertainment. How can you do this? By using something timely like Harvard did during Thanksgiving, they’re able to remain playful but are also able to share a unique aspect of their culture.


3) Engage Prospective Students

UMich Insta Engage.png
University of Michigan kids Cheer!
Social media is a perfect medium for entertaining, so if you’re not already doing that, then you need to start. This is especially true if you’re a smaller school. Entertaining social media posts can help get your school recognized and get your name out there. First impressions are key, and entertaining a prospective student is the first step. It helps to build rapport and trust. Here’s a great example from University of Michigan’s Instagram: Who wouldn’t want to go to your school with cute kids cheering for you?

4) Make Your Social Media Relevant

Harvard uses Social Media to Engage Students
"The World According to Star Wars" on Harvard's Facebook Page 
Teens are always online. According to Pew Research Center, 92% of teens go online daily, 24% of whom describe themselves as “constantly online”. That’s a lot of time and opportunity to come across your school! The only problem is that there’s so much to look at, and teens are easily swayed. They need to be convinced that whatever they’re looking at is relevant to their lives right now. So you’ve got to be creative. Harvard knows it’s audience and they can have a little fun. When prospective students see Star Wars characters in the classroom, you’ve got their attention. Check out another great example from Harvard’s Facebook:

5) Highlight Real People Doing Big Things

UPenn FB People.pngProspective students have big dreams. Sure, culture tells them to go to college so they can get a good job and become successful -- the American dream. But entrepreneurship and research are on the rise and college students are leading the charge. The best way to sell your school is to show your prospective students what they could become and what they could accomplish. Everyone can connect with a story. When stories are told about current students and/or alumni doing big things in the world, prospective students start dreaming.

So you can sell them on the nuts and bolts of your school all day long, which is important, but if they don’t see the big picture, they’re not going to be convinced.
This post from the University of Pennsylvania’s Facebook is a great example:

How Many Developers Does It Take to Screw In a Lightbulb? Leveraging the Internet of Things!

The Internet of Things (IoT)

by Steve Drucker, Founder

The Internet of Things (IoT) refers to the increasing number of devices that are now connected to the Internet and can be programmed remotely (typically from your smartphone).  Everything from from Oral-B toothbrushes to Samsung Washer-DryersNest Thermostats, and Philips Light Bulbs are now connected and have their own programming interfaces. Additional products are coming online that enable you to control virtually any electronic device remotely.
This technology revolution opens the door for software developers to produce some truly innovative and immersive experiences. Easy to use API’s and libraries now exist, such as Cylon.js and the forthcoming “Thunder” IoT platform from Salesforce.com that make it quite simple to control devices in the physical world from the virtual one. Of course, all of this power also opens up a myriad of security concerns as well. While I certainly don’t want my blender getting hacked into and ruining my margarita,  I have a dream where I can install NEST thermostats in my sales team’s houses and turn up the heat (literally) when automatic reporting from Salesforce.com indicates that they’re not making their quotas. Because that’s how I roll.

Enlightening yourself about IoT with Philips Hue Lights

For our first IoT trick, we’re going to use several well-proven technologies to produce a simple app to control a Philips Hue lightbulb. I’ve been using Hue bulbs for a couple of years now and they’re fantastic. They use light-emitting diodes to produce energy-efficient light across the RGB palette. Each bulb contains a wi-fi radio that connects to a bridge.
Philips Hue Starter Kit with Bridge and 3 Connected Bulbs

The Bridge has its own REST API that enables you to easily get a list of the bulbs that have been named/registered as well as send commands to set the color and brightness of each bulb.

Tools of the Trade

We used the following tools to produce our first IoT app. As a bonus, all of the aforementioned products are free and open-source. They also all use JavaScript as their programming language.
  • Node.JS application server
    Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world.
  • Cylon.JS API for Controlling Devices
    Cylon.js is a JavaScript framework for robotics, physical computing, and the Internet of Things. It makes it incredibly easy to command robots and devices.
  • Sencha Ext JS (GPL License) for producing the front-end GUI.
    The most comprehensive JavaScript framework for building feature-rich cross-platform web applications targeting desktop, tablets, and smartphones. Ext JS leverages HTML5 features on modern browsers while maintaining compatibility and functionality for legacy browsers.

About Us

Fig Leaf Software is an award-winning team of imaginative designers, innovative developers, experienced instructors, and insightful strategists.

For over 20 years, we’ve helped a diverse range of clients...

Read More

Contact Us


Fig Leaf Software

1400 16th Street NW
Suite 450
Washington, DC 20036