HSTS and EZproxy

Symptom

 

Applies to
Resolution

HSTS is not supported by EZproxy. EZproxy works with vendors who have the right to keep their sites secure or unsecured. The URL and the HJ lines in the stanzas can be HTTP or HTTPS. Forcing traffic as HTTPS through a proxy can create issues as EZproxy is already handling the HTTP-HTTPS translations. Self-hosted sites have the liberty to enable HSTS on their EZproxy domain and when they do that they get error messages on all the HTTP websites. We can offer the following solutions to those sites:

  1. Check for the HSTS header present in the EZproxy domain (https://gf.dev/hsts-test). Ask them to remove the "includeSubDomains" option from the Strict-Transport-Security header. That way, the EZproxy domain would be allowed to continue using HTTP.
  2. Change all the links to HTTPS (change these links everywhere including WC Discovery, the online library page, and config.txt)
  3. There are some resources like Brepolis that will not support HTTPS. In that case, a line like this might help to fix the issue:
    ProxyHostnameEdit apps.brepolis.net$ apps.brepolis.net

    Refer to: https://help.oclc.org/Library_Management/EZproxy/Configure_resources/ProxyHostnameEdit for more information.

If there are sites in your EZproxy configuration that are still accessible only via HTTP, do not use the "includeSubDomains" option.
Otherwise, these sites would no longer be available through your EZproxy.

To enable the header without includeSubDomains, add this to your config.txt:

HTTPHeader -server Strict-Transport-Security "max-age=31536000"

If you are sure that you have no more HTTP-only resources, and won't add any in the future, you can add "includeSubDomains":

HTTPHeader -server Strict-Transport-Security "max-age=31536000;includeSubDomains;"
Page ID
47246