Difference between revisions of "HTTPS-only and HSTS"

From EPrints Documentation
Jump to: navigation, search
(Created page with "[Category:Authentication]] == Google Best Practices for HTTPS== That following are the best practice specified by Google (https://support.google.com/webmasters/answer/607354...")
 
Line 1: Line 1:
[Category:Authentication]]
+
[[Category:Authentication]]
 +
 
 +
== HTTPS with EPrints ==
 +
 
 +
See the following page for [[How_to_use_EPrints_with_HTTPS]]. 
 +
 
 +
This page describes how to configure EPrints so that all content, not just login pages, is served over HTTPS.
  
 
== Google Best Practices for HTTPS==
 
== Google Best Practices for HTTPS==
Line 9: Line 15:
 
* Links point to HTTPS locations
 
* Links point to HTTPS locations
 
* 301 Redirects from HTTP to HTTPS
 
* 301 Redirects from HTTP to HTTPS
 +
 +
== HSTS ==
 +
 +
To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request.  The browser will remember that setting for as long as you specify “max-age” to be.  This means that even with HSTS, it is still possible to request and receive content over HTTP.  To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.
 +
 +
== Implementing HTTPS-only with HSTS on an EPrints repository ==
 +
 +
=== Changes to /cfg.d/10_core.pl ===
 +
 +
Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN)
 +
<source lang="perl">
 +
$c->{host} = "YOUR-REPOSITORY-DOMAIN";
 +
$c->{http_url} = 'https://YOUR-REPOSITORY-DOMAIN';
 +
$c->{http_cgiurl} = 'https://YOUR-REPOSITORY-DOMAIN/cgi';
 +
$c->{base_url} = "https://$c->{host}";
 +
</source>
 +
 +
=== Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files ===
 +
 +
Remove any hard coded links to HTTP
 +
If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.

Revision as of 15:57, 27 September 2017


HTTPS with EPrints

See the following page for How_to_use_EPrints_with_HTTPS.

This page describes how to configure EPrints so that all content, not just login pages, is served over HTTPS.

Google Best Practices for HTTPS

That following are the best practice specified by Google (https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951)

  • HSTS Headers on HTTPS
  • No “Mixed Content” warnings/errors
  • Links point to HTTPS locations
  • 301 Redirects from HTTP to HTTPS

HSTS

To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request. The browser will remember that setting for as long as you specify “max-age” to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.

Implementing HTTPS-only with HSTS on an EPrints repository

Changes to /cfg.d/10_core.pl

Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN)

 $c->{host} = "YOUR-REPOSITORY-DOMAIN"; 
 $c->{http_url} = 'https://YOUR-REPOSITORY-DOMAIN';
 $c->{http_cgiurl} = 'https://YOUR-REPOSITORY-DOMAIN/cgi';
 $c->{base_url} = "https://$c->{host}";

Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files

Remove any hard coded links to HTTP
If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.