HTTPS-only and HSTS

From EPrints Documentation
Jump to: navigation, search

HTTPS with EPrints

See the following page for How_to_use_EPrints_with_HTTPS.

This page describes how to configure EPrints so that all content, not just login pages, is served over HTTPS.

Google Best Practices for HTTPS

That following are the best practice specified by Google (

  • HSTS Headers on HTTPS
  • No “Mixed Content” warnings/errors
  • Links point to HTTPS locations
  • 301 Redirects from HTTP to HTTPS


To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request. The browser will remember that setting for as long as you specify “max-age” to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.

Implementing HTTPS-only with HSTS on an EPrints repository

Changes to /cfg.d/

Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN)

 $c->{host} = "YOUR-REPOSITORY-DOMAIN"; 
 $c->{http_url} = 'https://YOUR-REPOSITORY-DOMAIN';
 $c->{http_cgiurl} = 'https://YOUR-REPOSITORY-DOMAIN/cgi';
 $c->{base_url} = "https://$c->{host}";

Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files

Remove any hard coded links to HTTP
If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.