diff --git a/roles/nginxplus/templates/http/library.conf.j2 b/roles/nginxplus/templates/http/library.conf.j2
index 63bbd7a73d..5831346a61 100644
--- a/roles/nginxplus/templates/http/library.conf.j2
+++ b/roles/nginxplus/templates/http/library.conf.j2
@@ -60,6 +60,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_cache {{ item.short_name }}cache;
+        # handle errors using errors.conf
         proxy_intercept_errors on;
         # TODO don't do a health check if there's only one server
       {% if item.health_check_URI is defined %}
@@ -73,6 +74,10 @@ server {
     }
   {% else %}
     location {{ item.location }} {
+      {% if item.app_protect == "enabled" %}
+        app_protect_enable on;
+        app_protect_security_log_enable on;
+      {% endif %}        
         proxy_pass http://{{ item.short_name }};
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP $remote_addr;
diff --git a/roles/nginxplus/vars/main.yml b/roles/nginxplus/vars/main.yml
index 5685a7af59..8705bc3786 100644
--- a/roles/nginxplus/vars/main.yml
+++ b/roles/nginxplus/vars/main.yml
@@ -126,15 +126,16 @@ sites:
   #   visibility: private
   #   added_restrictions: htc_restrict.conf
   #   app_protect: disabled
-  # - name: bibdata-staging
-  #   servers:
-  #     # - bibdata-alma-staging1
-  #     - bibdata-alma-staging2
-  #   short_name: bibdata-staging
-  #   location: "/"
-  #   visibility: private
-  #   added_restrictions: htc_restrict.conf
-  #   app_protect: disabled
+  - name: bibdata-staging
+    servers:
+      # - bibdata-alma-staging1
+      - bibdata-alma-staging2
+    short_name: bibdata-staging
+    location: "/"
+    visibility: private
+    added_restrictions: 
+      - "htc_restrict.conf"
+    app_protect: enabled
   # - name: byzantine-tsp-prod
   #   servers:
   #     - byzantine-tsp-prod