Fix SSL or HTTPS Warnings

SSL Certificate Problems
Explanation of SSL Certificate Errors

Mixed SSL Content Warning Error Examples

Updated: May 3, 2022
By: RSH Web Editorial Staff
HTTPS Warnings
Menu

How to Fix SSL Mixed Content Warnings

Visitors to Websites protected by HTTPS or SSL protocol expect and deserve protection. A mixed SSL warning indicates that both secured and unsecured elements are used that should be completely encrypted. Any website using an HTTPS address must have all of its content coming from a secured source. Any page that links to a none secure source with HTTP is considered insecure and is flagged by your browser as a security risk.

Warnings of Non SSL Elements

When customers see a Not Secure Website warning, they normally react one of two ways. If they do not take security seriously, they will ignore it and presume everything is okay. If they take security seriously, they will leave your website assuming you do not take security seriously, never to return. Most modern browsers will block the more malicious types of mixed content, and in doing so may stop your website from loading. The best solution is to make sure that these warnings and or blocks do not happen by correctly configuring your website to serve only secure content.

What Causes Mixed Content Warnings?

Mixed content warnings can appear when you forced a redirect from HTTP to HTTPS for your website.

Images have hard-coded URLs.

<img src="http://example.com/images/myimage.jpg">

You are using HTTP versions of external scripts, jQuery, Font Awesome, etc.

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript">

You are using embedded video scripts that the referring website are using HTTP protocol instead of HTTPS.

<http://www.youtube.com/watch?v=C3e9OLTcw>

Developers sometimes use absolute paths in the website’s code to link to resources like CSS and JavaScript instead of using relative paths.

<http://example.com/css/style.css>

SSL content warnings fall into two categories

Passive content and Active content.

Passive Content

Passive content refers to items which can be replaced or altered, but can not change other parts of the page.

For instance, a graphic or photograph. The most common cause of all mixed content warning is when a secure website is configured to pull images from an unsecured website or source.

Passive HTTP requests are served via these tags:

<audio src="/attribute">
<img src="/images/rshweb.gif">
<video src="/attribute">

Active Content

Active content can alter the web page itself. A JavaScript, PHP script, or other applications could allow a request for HTTP content on any HTTPS page to be intercepted and/or rewritten.

This makes malicious active content very dangerous. User credentials and or sensitive data can be stolen, or malware installed on the user’s computer system. Example: A bit of JavaScript on a web page designed to generate a random password could be replaced by code providing a pre-generated password, instead, and or to deliver an otherwise secure password secretly to a third party. Active mixed content can be exploited to compromise sensitive private data, but even public web pages which seem innocuous can still redirect to dangerous sites, deliver unwanted content or steal cookies for exploitation.

Active content might include:

  • • JavaScript
  • • Browser plugin
  • • Web application add-ons
  • • Countdown clocks
  • • Toolbars
  • • Cookies
  • • PHP hypertext preprocessor
  • • Add-ins
  • • Data connections
  • • Color-theme files
  • • Links to external pictures
  • • Real-time data servers
  • • Smart documents
  • • Cascading style sheet (CSS) files
  • • Linked object linking and embedded (OLE) files
  • • ML expansion packs
  • • XML manifests
  • • ActiveX controls

All modern browsers will try to block active mixed content. But this may stop an incorrectly-configured website from loading.

WordPress hosting

How to Fix Mixed Content Warnings

Securing your website lets your visitors trust you, which today is vitally important. However, eliminating the insecure content from the website has an even greater value of eliminating false positive warnings. If your SSL website is compromised, any insecure element an attacker inserts will trigger the mixed-content warning. The best way to avoid mixed content issues is to serve all content via HTTPS, not with the HTTP protocol.

Serve all content as HTTPS and double check all your links. Often the HTTPS version of the content already exists, and this just requires adding an “s” to the address.

Change http:// to https://

Or for links with in your own website, use relative URL's or links without the http://

<a href="/web-site-hosting">
<img src="/my-image.jpg">

In fact, all internal links with in our website http://rshweb.com/ uses relative URL links.

If HTTPS is not available, you can try contacting your hosting company to see if HTTPS is available.

If they offer no help, try using a different hosting company that does allow SSL.

Forcing a Redirect from HTTP to HTTPS

If you are using cPanel with your hosting account, you can enable this option: Enable Force HTTPS Redirect just by checking the appropriate box.

If however you do not have cPanel available, or you need to enable it by hand, you can to do this via your .htaccess file.

Edit or create a .htaccess file in the folder your website is being served from. Normally this is the /public_html directory.

You can easily edit the .htaccess file using an FTP client and text editor.

Add the following code to the .htaccess file:

# BEGIN HTTPS Redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END HTTPS Redirect

Save the file and check the results in your web browser by trying to access your site using standard HTTP rather than HTTPS
If it is working correctly, you should automatically be redirected to the HTTPS:// version of your website.

How to Fix Mixed Content Warnings, Insecure Requests

Upgrade Insecure Requests is a CSP (Content Security Policy) directive that allows you to tell the web browser that all the resources on your website must be accessed via HTTPS
Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content warning.

Upgrade Insecure Requests is supported by Mozilla Firefox, Google Chrome, Microsoft Edge, Opera, Android, Chrome for Android, Safari.

To implement this, you only need to add the following lines of code to your .htaccess file:

# BEGIN Fix mixed content warnings
<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>
# END Fix mixed content warnings

Again, save the file and check the results in your web browser by trying to access your site using standard HTTP rather than HTTPS. If it is working correctly, you will be automatically redirected to HTTPS.

Comments, questions or leave a reply

We welcome your comments, questions, corrections and additional information relating to this article. Please be aware that off-topic comments will be deleted.
If you need specific help with your account, feel free to contact us anytime
Thank you

COMMENTS

Howard H
Thank you, Do you guys ever help with website you are not hosting?
Yes RSH Web Services will help where we can


Alan E
Thanks again for sharing and inspiring us, Keep it up guys


Tweet  Share  Pin  Tumble  Email

More Articles Of Interest

We provide you with a secure, reliable and affordable web hosting. whether it is a personal website or business website