Category: Uncategorized

This is really incredible but django has an extremely unfortunate default CACHE setting that is not ok for production environments, it defaults to a local memory cache that is not shared between different gunicorn or uwsgi workers. As a result, each worker can have a different state, even database values might differ in a django form!

Read here https://stackoverflow.com/questions/25052248/django-default-cache and here https://stackoverflow.com/questions/6422440/django1-3-multiple-gunicorn-workers-caching-problems

Solution: Set up memcached (apt get install memcached also you need to enable sockets if you want to use unix sockets, otherwise change the below config to use tcp instead) and set up django to use that cache backend in production environments:

CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'unix:/var/run/memcached/memcached.sock',
    }
}

In the models.py (it’s an extended ForeignKey field:

from cms.models.fields import PageField


faq_page_link = PageField()

How to use it in a template?

<a href="{{ instance.get_absolute_url }}">Demo Link to the FAQ Page</a>

Todo: What form widgets are available and how can they be configured on a PageField model field?

Nobody told you in business school, I bet.

1. Who needs a GmbH or AG?

You can start your business as a Einfache Gesellschaft. No need to spend money for a GmbH or AG. Einfache Gesellschaft allows you to use any business name you like, open a Swiss bank account in the company name (just sign a simple shareholder agreement Gesellschafter-Vertrag) and use the company name for your postal address.

If the financial risk of your business is going beyond 20k CHF you should consider founding a GmbH as the Einfache Gesellschaft doesn’t protect you as an individual from claims against the company.

2. Contracting individuals in Switzerland

Switzerland is a liberal country and contracting somebody for a job or a project is a breeze? I am sure everybody would agree, except the SVA. When it comes to social security, self-employed must prove their independence because SVA wants to protect regular employees from being forced into self-employment by their employer to save social security contributions. Before you sign an agreement with a self-employed individual, you should ask him/her for written confirmation letter from the SVA that proves his/her self-employed status.

Here is what can happen if you don’t: If you contract someone who is not recognized as self-employed and the SVA notices – and they eventually will because SVA have access to tax statements – your company will be subject to fines and back payment. The biggest cost (and pain) for your company however will be the administrative effort involved in figuring out all those contracting engagements years back.

Note that this only applies to contractors based in Switzerland because only those are subject to social security contributions to SVA.

3. VAT – register early

The ESTV (Swiss federal tax office) requires you to sign up for paying VAT for the year in which you surpass CHF 100k in revenue. Beware, don’t just wait for this to happen in the middle of your business year – you haven’t charged VAT on your invoices from earlier in that year. If later in the year you find out that your business will surpass 100k CHF in revenue, you will be forced to retroactively charge your clients the VAT. Decide on the first day of the year whether your company is likely to do more than 100k of revenue in the next 12 months and if yes charge VAT on your invoices from the very first day on.

4. Bezugssteuer

You might rejoice when you hear that your business doesn’t pay VAT on anything purchased or contracted from outside Switzerland. But nobody has told you about the Bezugssteuer. Make sure you pay Bezugssteuer whenever there is no VAT on the invoice you receive from a company outside of Switzerland, The Bezugssteuer is due even on that Cloud subscription of yours.

5. Dividends & Verrechnungssteuer

Congratulations, your company is doing good and you would like to take out some money of the company. Slow down – ESTV will only accept payments from the company to individuals as dividends if 1) your company declares earnings in its financial statement at the end of the business year 2) some of these earnings are declared to be paid out on a specific date as dividends in the protocol of the shareholder meeting.

We’re not done yet. Dividends are subject to Verrechnungssteuer. Your company is required to pay 35% of the dividend directly to ESTV. Yes that’s right, your shareholders only receive 65% of the dividends. They have to reclaim the rest via their personal tax declaration in the following year. Therefore it is good practise to define the 31.12. of the year as dividend payout date, as the shareholders then can reclaim it in their tax declaration only shortly after. It’s pretty crazy but even so some time will pass until all the money is where it belongs: year 1: financial statement of the company, year 2: dividend payment, year 3: personal tax declaration of the shareholder, year 4: ESTV pays back the Verrechnungssteuer. Four more years! 🤯

What if you (as a shareholding individual) need the money right away? If your company makes a payment to you the ESTV will classify it as salary and you will pay full SVA social contributions and income taxes on it (after the earnings of your company already got taxed). That sure hurts. It’s therefore better to receive this money as a Gesellschafter Kontokorrent loan. The money technically still belongs to the company (and you have to pay due interest for the loan to your company) but you don’t have to declare it as income in your personal tax statement and can offset the loan later against the dividend payment.

There is no incentive anymore to keep the shareholder’s loans up for longer than needed, so in most cases it’s best to settle them as soon as possible. For dividends, Federal income tax is discounted by 40% while the Staats- und Gemeindesteuer in the Canton of Zurich is discounted by 50% in order to reduce double taxation of company earnings.

Disclaimer: This is not legal advice which means you are discouraged to base your decisions on this article. Consult a lawyer.

tl;dr

• Stick with the values recommended by Google Analytics for source and medium UTM tags
• Keep the campaign UTM tag in the same format across all different advertising networks / channels. For the same campaign, use the same name across different network / channels.
• Assign ownership for UTM tagging to one single person to protect your Google Analytics data quality
• Don’t use UTM tags on internal links as they overwrite the origin of your user sessions and thus destroy your acquisition data.
• No room for mistakes as Google Analytics acquisition data is immutable. Your UTM parameter tracking will stay with you for live.

Why marketeers should read this

With great power comes great responsibility. You might not be aware of the fact that anyone with the power to create a link to your page (or even just browse it) has the power to impact the source / medium (Aquisition > Channel Attribution) data of your Google Analytics reports by adding UTM parameters to the end of the URL.

Marketeers use UTM parameters to attribute the source and type of user sessions on their websites. For example if a marketeer purchases some advertising on a news website, the marketeer will send not only the URL to his/her own website landing page (to which the ads should link) but he/she will prep the URL with Google Analytics UTM parameters. Like this, the marketeer will know how many users came from that news website.

Marketeers in charge of bigger websites will have many different active traffic sources at any given time. Google ads, bing ads, facebook organic content, facebook paid ads, email marketing, … and many more. For all these online marketing activity the marketeer will want to know how many user sessions they deliver for any given period of time, so he/she can determine the return on advertising investment on any single traffic source.

How you should track user sessions from Facebook in Google Analytics

Let’s take Facebook for example. For many professional marketeers, Facebook is more than just a traffic source, it’s at least three: 1) Users clicking on links in third-party posts on Facebook. These we can’t control and they will just show up as social traffic from Facebook. 2) Users that click on links on our own business posts on Facebook. Since we can control the content of such posts, we want to use UTM tags for those links 3) Users that click on our paid ads on Facebook. These we want to distinguish from the previous two traffic sources by using UTM tags.

Here are the most important utm parameters that Google Analytis recognizes.

utm_source: In Google Analytics, the source field of a user session is one of the most important pieces of information. Adding utm_source to a link will override the source that is determined by Google Analytics automagically. For example, a user that comes to your website from Facebook.com will create a user session in Google Analytics with the source facebook.com As this value is used in other parts of Google Analytics we recommend to not alter this behaviour and only use the real domain from where traffic is coming from. So, for Facebook posts or paid ads, you would always use a link like https://your-website.com/landing-page/?utm_source=facebook.com&utm_...

utm_medium: In Google Analytics, the medium field of a user session is the most important piece of information. Adding utm_medium to a link will override the medium that is determined by Google Analytics. Google Analytics automagically recognizes traffic mediums such as: organic, none (for direct traffic), referral, cpc, social. Medium is heavily relied on by Google Analytics to create the default channel grouping. Read more about recognized values here: https://support.google.com/analytics/answer/3297892 – We recommend to stick to these conventions under any circumstance.

utm_campaign: In Google Analytics, the campaign field of a user session is heavily relied upon by the Campaign tab which includes Google Ads. Google Ads Auto-tagging feature will use the campaign names in Google Ads to populate the campaign field in Google Analytics automagically. Beware: Google Analytics will update the campaign field even retroactively if the Google Ads campaign names are changed. We therefore recommend to create guidelines for campaign naming across all paid media networks, including Google Ads, Facebook Ads, and that news website you have booked ads with, too. This essentially means, that you define a global name for your campaigns, and that same campaign name is then used for all media, manually by setting the utm_campaign parameter or automatically via Google Ads campaign names. A good naming convention for campaigns is as follows:

DE_CH_Autumn_Campaign_2020

or a bit more machine-readable (this is useful for bigger marketing teams and marketing activities with dozens of different campaigns for filtering and automation):

[l:DE][c:CH][n:Autumn_Campaign_2020]

utm_content: In Google Analytics, the content field is reserved for further information about the ad or text around the link that was clicked upon. This field is normally not set by Google Analytics, so it’s left for you to fill with information for your ad campaigns.

Are there UTM parameters in internal links on your website?

Sometimes a marketeer would like to know whether users have clicked on a specific button, teaser or other element on their journey to a key page. It is best practise to add a query parameter such as https://your-website.com/?journey=homepage-teasers to such elements. These query parameters are then registered by Google Analytics as part of the page path of the pages visited by users. A marketeer can then filter user sessions by such a query parameter and determine what share of users have reached a key page via such elements.

Mistakenly, sometimes, UTM tags are used for such objectives. This is wrong and UTM parameters should be removed urgently from internal links when found.

Why is this so bad? The scope of UTM tagging is to determine where user sessions on your website originate. UTM parameters on internal links will overwrite this information and it is forever lost. Campaign tracking will be wrong, as some of the user sessions that should belong to a campaign of yours will loose that attribution as the UTM source / medium tags will take precedence when the user clicks on an internal link using UTM tagging on your website.

Oops I did it all wrong. Can it be fixed?

Bummer.

Most Google Analytics data, including source, medium, campaign and content fields are immutable – this data cannot be deleted or changed in Google Analytics – for the rest of your life.

The only thing you can do is correct the wrong UTM parameters as quickly as possible to at least have correct acquisition data in Google Analytics in the future.

Conclusion

It’s best not to sway too much from the default Google Analytics way of classifying incoming user sessions with the source and medium dimensions.

When more than one person is involved in campaigning and online marketing activities, designate one person to have ownership of the UTM parameter setting process. This person should provide UTM parameters for any campaigning activities. Such central management of UTM tags make sure that Google Analytics doesn’t stop making sense without anyone noticing.

This is a simple script to check whether URLs are reachable over HTTP(S). This comes in handy for example when a project has many different (secondary) domains that redirect to the main domain.

#!/bin/bash


urls=(
    "http://domain1.com",
    "https://domain1.com",
    
    "http://domain2.com",
    "https://domain2.com",
    
    "...",
) 

# remove commas
for i in "${!urls[@]}"; do     
   urls[$i]=${urls[$i]//,}
done

#for i in "${!urls[@]}"; do     
#    echo "$i"
#    echo "${urls[$i]}"
#done
#exit 0


for i in "${!urls[@]}"; do
    echo "Checking status of ${urls[$i]}"
    code=`curl -sL --connect-timeout 20 --max-time 30 -w "%{http_code}\\n" "${urls[$i]}" -o /dev/null`

    echo "Found code $code for '${urls[$i]}'"

    if [ "$code" = "200" ]; then
        echo "Website '${urls[$i]}' is online."
        online=true
        sleep 3
    else
        echo "Website '${urls[$i]}' seems to be offline. Waiting $timeout seconds."
        echo "Monitor finished with failures, at least one website appears to be unreachable."
        exit 1
    fi
done

echo "Monitor finished, all good."
exit 0

Traditionally, in any kind of publishing business there has always been a big gap between designers and implementation. We come from a world, where after the designers were done, whoever needed to implement designs had to spend a lot of work importing the artwork into his work environment.

In modern web development, for the first time in the history of mankind, smooth, integrated handovers between designers and developers are in our reach! Here is how.

The challenge

For website projects, the handover between the design phase and the development phase can be difficult and time consuming. Here are a couple of reasons why:

• Some designs look smaller when looking at them as mockups than after they are implemented as websites. This is then a big surprise for customers.
• Not all the assets are available in the quality required (vector shapes, high-res images, webfonts, etc.)
• Developers cant work with source file formats that are not intended for web design (such as Adobe Indesign)
• The design doesnt use a standard grid and therefore requires significant additional effort for implementation
• Some frontend developers use Linux and therefore cannot open Sketch files because Sketch is not supported on Linux

Therefore we created some guidelines for designers:

1. Design Mockup Sizes

Have you ever read “Objects In The Mirror Are Closer Than They Appear” on a side-view mirror? The same happens to mockups. They often look smaller than they will appear once implemented in code. Also, designers often work with very big screens 19 or 22 inches, while clients often use their business laptops at 13 or 15 inches.

Recommendations:

• Use 1920px for the artboard width itself and 1040px for the content width for desktops.
  • This setup allows a frontend developer to see what elements should stretch out to full screen width, and what elements are limited by the content width.
  • The 1040px content width will allow the client to preview the design in its full width even on smaller screens and in general is aesthetically pleasing.
• Show the mockups to the client in a way that is not zoomable. Use a design hand-off tool (see below) – why? It doesn’t auto-scale the mockups based on the window width of the browser. If you use images or PDF, the content of the window is auto-scaled based on the window width of the browser or image preview tool on the client’s computer. Alternative: Send the client an HTML where the mockups are added as background image of the body element (<html><body style="background-image: url('img/mockup1.jpg'); height: 3500px; background-repeat: no-repeat; background-position: center top;"></body></html>)

2. Smooth Design Handovers

The topic of design handovers today is nearly fully covered by using Design Hand-Off Tools – see here for an intro: Design Hand-Off Tools

Best Case: Use a Design Hand-Off Tool!

How does paradise look like for a frontend developer?

The best case for frontend developers is when the design comes in a Design Hand-Off Tool. Like this, the frontend developer can extract all the required assets directly in the tool and use them to build the real high-resolution website. Awesome!

There are currently three options:

• Invision (also note that there is Invision Studio, it’s free.)
• Avocode
• Zeplin

Note:

• vector shapes (such as icons), images and text should be selectable separately so that it can be exported for production.
• For text: text properties (such as text size, text decoration, text style, font-family, etc.) should be properly displayed in the tool, when selecting the text.
• For layouts it’s important that properties such as border radius, shadows, height, width, etc. is properly displayed in the tool, when selecting a box or other type of layout.
• If the design has almost-unnoticeable gradients (eg for visibility of the text on top of bright images) – mention them explicitly during the hand-over, otherwise they might go unnoticed and end up being excluded from the estimates.

Second Option: Use a web design tool

If it is not possible to use a Design Hand-Off Tool, it’s still possible to do an efficient handover to the frontend developer. In this case please make sure that all assets can be exported separately and are available in high-resolution. Please check if the responsible frontend developer has access to the web design tool (i.e. Sketch is not available for Linux) and in case there is a problem please provide the assets separately (see below).

Here are the main options on the market (some of them are Mac OS only!):

• Sketch
• Adobe Experience Designer (XD)

Fallback Option: Use a conventional graphic design tool

Handing over design in a conventional graphic design tool will mean significant additional efforts for frontend developers, as the asset extraction takes more time. (TODO: add some more reasons why)

In this case please make sure that all assets can be exported separately and are available in high-resolution. Please check if the responsible frontend developer has access to the web design tool (i.e. Sketch is not available for Linux) and in case there is a problem please provide the assets separately (see below).

Such tools are:

• Adobe Illustrator
• …

Deprecated tools that shouldn’t be used anymore for web design handover and which we dont support anymore:

• Adobe Photoshop
• Adobe Indesign
• …

In this case please see below for a traditional hand-off as separate files.

Handing off assets as separate files

In order to maintain full compatibility with the frontend developer’s technical means, designers might need to hand off assets as separate files on Google Drive.

Assets like vector shapes, images, stock photos, videos and web fonts

Please provide all the assets separately on Google Drive (see below), so that the Frontend Developer can use these files to build the website. Use speaking file names whenever possible to facilitate the frontend developer’s work.

• images in high-resolution (.png / .jpg)
• web fonts (.woff / .woff2 )
• vector shapes (.svg)

Fonts

• Please help us by uploading a zip file of the web fonts to Google Drive
• if you only have .ttf fonts you can create a web font package on https://www.fontsquirrel.com/tools/webfont-generator

Assets that need to be purchased

• Normally, the client is purchasing any paid assets directly via credit card.
• While working on a design proposal that includes assets that need to be purchased, you can use preview or trial material, other sources (i.e. fonts you have already installed, etc.) for the mockups.
• Upon design approval you can create a gitlab issue on the respective Gitlab project, asking the client to purchase the corresponding assets. Please include the direct links to the items to be purchased for the convenience of the client. Many thanks.

Uploading your source files (.xd, .sketch, …) and any other assets to Google Drive

• In order to enable frontend developers to work efficiently, it’s important that all your source files are in the project’s Google Drive folder and that you keep them updated at all times so that the frontend developer always have access to the latest version.
• If you dont have access to the project’s shared folder on Google Drive request access with the responsible project manager
• Do not change the file name after updating a source file (i.e. do not add a version string or date to the filename). Google Drive automatically creates a new version of the file if the file name is the same. The old versions are still accessible via the context menu (right click on the file).

Yes, it’s possible!

Some context: A Google Account and a gmail address are not the same thing. A Google Account is required to log into Google services such as gmail, google drive, youtube, etc. Login with Google even lets you use your Google Account (instead of a username and password) to log into third-party services that support it.

Note: When you create a gmail address a Google Account is automagically created with it.

Google lets you create a Google Account for any email address, specifically for your work address.

Why does it matter?

Other people might want to add you to Google services. If you don’t have a Google Account on your work address, these people will see this error, here is an example from Google Analytics:

It’s recommended to use your official work address for Google (and other) services you use for work, instead of your private (or secondary) gmail address. This way, system administrators can identify individuals when looking at a list of authorized users which increases security for everybody at your company. Nobody knows who frank_82@gmail.com is, but everybody can recognize frank.mueller@yourcompany.com.

How? Here is how to create a Google Account with your non-gmail email address:

1. Go to https://accounts.google.com/signup/
2. Click on Use my current email address instead
3. Enter your official work email address
4. Finalize the registration providing the required information

If Google complains that there is already a Google Account for this email address, then please click on Sign in instead and sign in, use the Forgot password? link to recover your password if necessary.

Now your work email address (respectively the Google Account attached to it) can be used by other people to add you to Google Services, for example Google Analytics.

Many people have asked me: Is django secure?

Luckily, with django we don’t have to worry about basic security at all. Here is a list of basic security stuff that django supports right out of the box.

• Cross site scripting (XSS) protection
• Cross site request forgery (CSRF) protection
• Full CORS support
• SQL injection protection
• Clickjacking protection
• SSL/HTTPS
• Host header validation
• Session security

On top of this we lock down production deployments as follows:

• Set SECURE_HSTS_SECONDS. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
• SECURE_CONTENT_TYPE_NOSNIFF set to True, so your pages will not be served with an ‘x-content-type-options: nosniff’ header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
• SECURE_BROWSER_XSS_FILTER set to True, so your pages will not be served with an ‘x-xss-protection: 1; mode=block’ header. You should consider enabling this header to activate the browser’s XSS filtering and help prevent XSS attacks.
• SECURE_SSL_REDIRECT set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
• SESSION_COOKIE_SECURE set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
• Set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
• DEBUG set to False in deployment.
• X_FRAME_OPTIONS set to ‘DENY’. The default is ‘SAMEORIGIN’, but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to ‘DENY’.

Additional Security Features

django features a range of third-party open source modules that improve security, for example access logging and application firewalling: https://djangopackages.org/grids/g/security/

I was recently asked to compare the django ecosystem with the drupal ecosystem. Drupal is widely known as a huge open source CMS success with a massive community behind. 

However looking at Google Trend to my biggest surprise I realized that this is not true in 2019 anymore. The django ecosystem is bigger and on top of that, growing in a sustainable way.

Django (red) vs Drupal (blue) – Since 2016 django has surpassed Drupal. Shockingly, the decline in the interest in the Drupal CMS ecosystem is sharp.

It is my experience that most CMS come and go across the years. The django ecosystem appears to be much more robust than any CMS ecosystem because it doesnt just cover CMS functionality, as a web application framework it covers a much broader scope, with the django CMS package covering the CMS part.

As you can see here, Django is amongst the top three open source web technology ecosystems and it is on a continuous growth path:

django CMS itself is much leaner than other CMS, as it sits on the shoulder of a giant: django – this makes it more long-living and much more maintainable than other CMS projects.

I hope I could give you some insights into the advantages of django + django CMS. Please let me know if you have any questions.

For more information about the technology stack, I’d also point you to the slightly technical articles I wrote about django and django cms.

Disclaimer: At what.digital django and django CMS is our main backend technology stack.

Would you like to contribute to this article? Please let me know. For example, do you think Google Trends is a good way to look at how future-proof a technology is?

Divio is the company that originally founded django CMS a couple of years ago and that still contributes to developing it further together with the rest of the django CMS community.

Divio is a professional, modern cloud hosting company specialized in hosting python / django / django CMS projects in a highly secure, performant and efficient way.

Divio relies on data centers in Europa and North America via Amazon Web Services (AWS) and in Switzerland – its hosting is fully scalable, meaning that we could host websites with Divio that would be used by hundreds of thousands of daily users.

Amongst Divio’s customers are small to large enterprises in Switzerland and across the globe including S&P Fortune 500 companies and global financial institutions.

Divio is headquartered in Zurich, close to Hardbrücke and has offices in New York City and Stockholm as well as a technical team distributed around the world to be able to respond to support requests around the clock (24/7).

At what.digital what we like about divio.com hosting is:

• simplicity of the divio.com control panel to launch and maintain projects for our clients
• very competitive pricing
• simple backup
• quick responses from their support staff
• robust developer tools for django and django CMS projects