Skip to main content

SpringyNews: The ABCs of Web Safety

June 2018

No Web Safety? Know Web Pain!

As the old saying goes, it's better to be safe than sorry.

These LibGuides tips and tricks will help you enable and promote the security of patron and library data.

Protection and safety don't happen by accident... they are planned and executed by choice.

So, let's tackle this together because an ounce of prevention is worth a pound of cure!


1. Force Springy Websites to Load via HTTPS

2018 is all about secure web-browsing, and Chrome is leading this trend by raising their security game and working toward their end goal of all HTTP webpages having a "Not Secure' indicator. For more information on HTTPS security, check-out the HTTPS Protects Your Sites page of this newsletter.

This means that if a patron loads your Springy tool website over HTTP, they’ll see a Not Secure indicator in the address bar. This is definitely not good PR for you. You don’t want your patrons thinking your LibGuides, LibAnswers, LibCal, or LibWizard sites are untrustworthy.

By July 2018, HTTPS required on Chrome

Now all Springy sites - whether you’re on a product domain (ends in libguides.com, etc.) or a custom domain (ends in .edu, .gov, .org, etc.) - are ready to protect patron data by loading over HTTPS. Sites using a product domain use our wildcard certificate to load their sites over HTTPS. For custom domains, we recently worked some behind-the-scenes magic and installed a free Let’s Encrypt security certificate for you. You don’t need to ask your IT colleagues to change a thing. It just works!

But just having a security certificate in place doesn’t mean that patrons will magically load the page via HTTPS. You need to make a simple change to ensure this secure connection always takes place.

Force HTTPS

Automatically loading your web pages over HTTPS is the only way to ensure that they always have a secure connection. When you use the “Force HTTPS” feature, even if your patrons are linked to your site via an HTTP-based link the page will still load via HTTPS. In the future, Springy HQ will completely disable HTTP (i.e., loading pages over HTTPS will be forced automatically). Until then, though, we’ve provided you with the tools to make this change yourselves!

We know this is a "LibGuides Tips" area, but we don't want you to stop with LibGuides, so here's the scoop for all Springy products! LibStaffer, LibInsight, and LibCRM operate solely via HTTPS, so there’s nothing to change.

Forcing HTTPS for LibGuides, LibAnswers, and LibCal

  1. From any product, go to the blue menu > LibApps > Admin* > Domains and Certificates
    *Don’t see the Admin menu? You may not be a LibApps Admin. Go to the LibApps Dashboard (from any product, click the blue menu > LibApps) to see the list of LibApps Admins for your site.
  2. Click the padlock icon in the Actions column.
  3. Go to the Force HTTPS tab and choose Required.
  4. Click the Return to Domains and Certificates button at the bottom and repeat for your other Springy sites.

Forcing HTTPS for LibWizard

  1. Go to LibWizard > Admin > System Settings.
  2. Check off the Load Site in HTTPS? box and click Save.

CAUTION: Forced HTTPS Can Affect Embedded Media

Forcing a webpage to load via HTTPS means that everything embedded on that page must also be loaded via HTTPS. If you have embedded images, videos, widgets, or calls to JavaScript / style sheets, you’ll need to check to ensure they’re loaded via HTTPS, or you’ll see a “mixed content” warning/error.

Check out the “What is Mixed Content” and “How Do You Find…” sections of the HTTPS Protect Your Sites page to learn more about what all of this means and how to find potential mixed content in your sites.

Fixing Mixed Content

  • Find the mixed content items in your site. (See the “How Do You Find…” section of the HTTPS Protect Your Sites page to learn how.)
  • Check with vendors to see if they offer HTTPS-based versions of their widgets.
    (Springy widgets are HTTPS ready!)
  • Update http:// to https:// in widgets on your webpages for any content that can load via HTTPS.
  • Remove widgets from your webpages for any content that can’t load via HTTPS. If you don’t, the content will not display when you force the overall page to load via HTTPS.

2. Password Protect Files & Documents (CMS Only)

This tip might be short, but it can have a big impact. Sometimes you need to share important documents, slides, spreadsheets, or pdfs. How can you do that, securely? 

Easy-peasy, using LibGuides CMS' password-protected files & documents

Simply add the password you want to the Password field when either creating a new or editing an existing Documents & Files Asset. Share the password with the appropriate person/people, and you're all set! Just make sure you don't shout it across a crowded room. ;)

Idea: In the description field, add a password hint or contact info for accessing the password.


3. What 3rd-Party Analytics Tools Are You Using?

ICYMI, the EU's General Data Protection Regulation has prompted the creation of new Springy privacy tools for everyone... not just our clients in Europe. So privacy-conscientious librarians can enable these patron-related privacy features to ensure your users are informed about the use of their data.

If you haven't already, be sure to check-out the Public Cookie Notice & Customizable Privacy statement that you can enable in your LibGuides, LibCal, and LibAnswers systems. Via a small banner, it informs your patrons that a small cookie is installed on their computer to track their IP address for usage statistics.

Default notice only applies to your Springy apps and the use of cookies within LibGuides, LibCal, and LibAnswers.

If you're like most libraries, you might be employing other 3rd-party tools, like Google Analytics, in order to gather more detailed usage stats.

If you are, we strongly recommend that you:

  1. Take stock - What 3rd party data gathering tools are you using? What are their privacy statements?
  2. Inform Users - Update your customizable banner to inform users of these additional 3rd party tracking tools.
  3. Include 3rd-Party Privacy Statements - Include links to 3rd-party tool privacy statements.

For clients in the European Union, you might need to take extra steps to ensure these 3rd-party tracking tools are GDPR-Compliant. Our compliance does not cover these 3rd-party embedded tools' compliance. 
 


4. Store Passwords & Login Credentials for A-Z Database Assets

The opposite of security is storing important passwords on post-it notes around the reference and circulation desks. But we get it, how can you share important database credentials internally with staff and externally with users? 

Easy - with LibGuides A-Z asset login credentials and internal notes features. 

Sharing Admin / Stats Types of Database Passwords with Staff Using the Login Credentials Feature

The login credentials is a relatively new feature, released in May 2017. Admins can use it to store login credentials for admin interfaces, SUSHI credentials, or login details for access to database statistics. The uses are endless!

Since only Admin-level users or A-Z asset managers can view login credentials, don't use it to store information that all librarians need.

Setting Up Login Credentials:

  • A-Z Asset Managers navigate to Content > A-Z Database List > Settings Tab
  • Scroll to Login Credentials Section
  • Add as many login credential types as you'd like!

Add to Existing Database Asset:

  • Navigate to Content > A-Z Database List > Databases Tab
  • Edit your Database Asset
  • Assign Login Credentials
  • Note: Not all fields are required. Only enter data in fields that you need/use.

Only Admin-level users / A-Z asset managers can view login credentials.
Don't use to store information that all librarians need... e.g. database passwords.

Sharing Database Passwords w/ Staff

You might be working with a database vendor where access is via a password. Definitely, not ideal - but beggars can't be choosers. 

How can you share database login information with fellow staffers, securely? 

Use the A-Z asset internal notes field! Internal notes never display to the public, and you don't have to be an admin-level user to access them either. This way, all staffers can view (and share) important database login details with patrons. 


5. Controlling Guide Sharing

In our social-media fueled society, you can get lulled into the notion that all web content should be shared with everyone. I can retweet your tweet, share your Facebook post, and reuse your content as my own. And as much as we encourage sharing here at Springy HQ, there are just some guides that aren't meant for sharing with the greater LibGuides community. 

Cue, sharing controls. For each individual LibGuide, you can control who can reuse it - from the entire LibGuides community to individuals within your own institution.

Let's break these options down
 

Guide Sharing = Community

  • Guide will be shared with authors within your own LibGuides system... regardless of status (published, private, unpublished). 
  • Guides in groups will be shared with authors within your own LibGuides system... except if it's in an internal group (LibGuides CMS only). Internal groups' guides are automatically defaulted to "No" for sharing content, though that can be changed if the owner wishes.
  • Published guide in public groups (LibGuides CMS only) can be searched for / copied by authors at other institutions. 
  • Private guides can be copied (not searched) if the author at other institution knows the URL. 
  • Public guides in public groups are indexed and searchable in the LibGuides Community site: community.libguides.com.
  • Public guides in public groups are indexed, searchable, and reusable from the LibGuides 'Create Guide' screen.

Guide Sharing = Internal

  • No community sharing enabled... guide will only be shared within your institution.
  • Guide will not be indexed and searchable in the LibGuides Community site: community.libguides.com.
  • Guide will not be indexed, searchable, and reusable from other sites' LibGuides 'Create Guide' screen.
  • Internal shareable guides are shareable internally, regardless of status... published, private, unpublished. 
  • Internal shareable guides are shareable if they are in a public or restricted group (LibGuides CMS only). The default sharing setting for Internal groups is "No", though owners can change that if they wish. If it is set to Internal, then it can be shared internally.

Guide Sharing = No

  • No community sharing enabled.
  • No internal sharing enabled with authors within your own institution.
  • You will not be able to reuse your own guide.
  • Guide will not be indexed and searchable in the LibGuides Community site: community.libguides.com.
  • Guide will not be indexed, searchable, and reusable from the LibGuides 'Create Guide' screen.