HTTPS Warnings

Warnings of Non SSL Elements on Your Website

Browser Based SSL Content Warnings

Visitors to Websites protected by HTTPS Certificates or SSL protocol expect and deserve seamless protection. A mixed SSL warning indicates that both secured and unsecured elements are being served up on a page that should be completely encrypted. When customers or visitors see this warning, they can react one of two ways. If they do not take security seriously, they will ignore it and presume everything is okay (bad). If they do take security seriously, they will leave your website assuming you do not take security seriously, never to return (worse). Furthermore, most all modern browsers will block the more malicious types of mixed content and in doing so may break your site. The best solution is to make sure that these warnings and or blocks do not happen by correctly configuring your website to serve only secure content

Any page using an HTTPS address must have all content coming from a secured source. Any page that links to an HTTP resource is considered insecure and is flagged by your browser as a security risk

SSL content warnings fall into two categories
Passive content and Active content

Passive Content

Passive content refers to items which can be replaced or altered but can not change other parts of the page – for instance, a graphic or photograph. The most common cause of all mixed content warning is when a secure website is configured to pull images from an unsecured website or source. Passive HTTP requests are served via these tags:
<audio src= /attribute>
<img src="/images/rshweb.gif">
<video src= /attribute>

articles on hosting

Active Content

Active content can alter the web page itself. A java script, PHP script or other scripts could allow a request for HTTP content on any HTTPS page to be intercepted and/or rewritten. This makes malicious active content very dangerous. User credentials and or sensitive data can be stolen, or malware installed on the user’s computer system. Example: A bit of JavaScript on an web page designed to generate a random password could be replaced by code providing a pre-generated password instead and or to deliver an otherwise secure password secretly to a third party. Active mixed content can be exploited to compromise sensitive private data, but even public web pages which seem innocuous can still redirect to dangerous sites, deliver unwanted content or steal cookies for exploitation
Active HTTP requests are served via scripts, links, CSS stylesheets, XML Http Requests, iframes

All modern browsers will block active mixed content by default (which may break an incorrectly-configured site)

How to Fix Mixed Content Warnings

Securing your website lets your visitors trust you which today is vitally important. However eliminating the insecure content from the website has an even greater value of eliminating false positive warnings. If your Secure website is compromised, any insecure element an attacker inserts will trigger the mixed-content warning. The best way to avoid mixed content issues is to serve all content via HTTPS - NOT HTTP

For your own website serve all content as HTTPS and fix your links. Often the HTTPS version of the content already exists and this just requires adding an “s” to links – http:// to https://
Or for links with in your own website use “relative URLs” or links with out the "http"
<a href="/about-us.html">
You can use a link in this format and will work just fine

For other websites use the HTTPS version if available. If HTTPS is not available, you can try contacting the domain and asking them if they can make the content available via HTTPS. If no help try using a different website altogether that does have SSL

Comments, questions or leave a reply
Contact Us


Lilia T
This is one of the best guide I have come across

Howard H
Thank you so much for sharing such an awesome blog

Lara E
Nice blog and ideas for blogger or persons planning to blog about something

Robin H
So great article and best guide for me

Alan E
Thanks again for sharing and inspiring us, Keep it up guys

Susan A
Enjoyed reading these articles

Tweet  Share  Pin  Tumble  Email