Visitors to Websites protected by HTTPS Certificates or SSL protocol expect and deserve protection. A mixed SSL warning indicates that both secured and unsecured elements are used that should be completely encrypted. Any website using an HTTPS address must have all of its content coming from a secured source. Any page that links to a none secure source HTTP is considered insecure and is flagged by your browser as a security risk
When customers see a "Not Secure Website" warning they normally react one of two ways. If they do not take security seriously, they will ignore it and presume everything is okay. If they take security seriously, they will leave your website assuming you do not take security seriously, never to return. Most modern browsers will block the more malicious types of mixed content and in doing so may stop your website from loading. The best solution is to make sure that these warnings and or blocks do not happen by correctly configuring your website to serve only secure content
Mixed content warnings can appear when you forced a redirect from "HTTP" to "HTTPS" for your website
Images have hard-coded URLs <img src="http://example.com/myimage.jpg"> that point to HTTP
You are using HTTP versions of external scripts - jQuery, Font Awesome, etc.
You are using embedded video scripts that the referring website are using HTTP protocol instead of HTTPS
Passive content refers to items which can be replaced or altered but can not change other parts of the page – for instance, a graphic or photograph. The most common cause of all mixed content warning is when a secure website is configured to pull images from an unsecured website or source. Passive HTTP requests are served via these tags:
<audio src= /attribute>
<video src= /attribute>
Active HTTP requests are served via scripts, links, CSS stylesheets, XML Http Requests, iframes
All modern browsers will block active mixed content by default (which may stop an incorrectly-configured website from loading)
Securing your website lets your visitors trust you which today is vitally important. However eliminating the insecure content from the website has an even greater value of eliminating false positive warnings. If your Secure website is compromised, any insecure element an attacker inserts will trigger the mixed-content warning. The best way to avoid mixed content issues is to serve all content via HTTPS - NOT HTTP
For your own website serve all content as HTTPS and fix your links. Often the HTTPS version of the content already exists and this just requires adding an “s” to links
http:// to https://
Or for links with in your own website use “relative URLs” or links with out the "http://"
A example might look like
In fact all internal links with in our website "http://rshweb.com/" uses “Relative URLs” links. As you can see these works just fine
Use the HTTPS version if available. If HTTPS is not available, you can try contacting your hosting company and asking them if they can make the content available via HTTPS
If they offer no help try using a different company that does allow SSL
If you are using cPanel with your hosting account you can enable "Enable Force HTTPS Redirect" just by checking the appropriate box
However if you do not have cPanel available or you need to enable it by hand you can to do this via your .htaccess file
1) Edit or create a .htaccess file in the folder your website is being served from. Normally this is the "/public_html" directory. You can easily edit the .htaccess file using an FTP client and text editor
2) Add the following code to the .htaccess file:
Save the file and check the results in your web browser by trying to access your site using standard "HTTP" rather than "HTTPS"
If it is working correctly, you should automatically be redirected to the "HTTPS://" version of your website
“Upgrade Insecure Requests” is a CSP (Content Security Policy) directive that allows you to tell to a web browser that all the resources on your website must be accessed via HTTPS
Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content warning
To implement this, you only need to add the following lines of code to your ".htaccess file":# BEGIN Fix mixed content warnings
Again Save the file and check the results in your web browser by trying to access your site using standard "HTTP" rather than "HTTPS". If it is working correctly you will be automatically redirected to "HTTPS"
As always, our customer support team is here to answer any questions you may have
Comments, questions or leave a reply
Leave a Reply
Thank you, Do you guys ever help with website you are not hosting?
Yes RSH Web Services will help where we can
Thanks again for sharing and inspiring us, Keep it up guys
Enjoyed reading these articles
Tweet Share Pin Tumble Email