HTTPS Warnings
Menu

Visitors to Websites protected by HTTPS Certificates or SSL protocol expect and deserve protection. A mixed SSL warning indicates that both secured and unsecured elements are used that should be completely encrypted. Any website using an HTTPS address must have all of its content coming from a secured source. Any page that links to a none secure source HTTP is considered insecure and is flagged by your browser as a security risk

Warnings of Non SSL Elements

When customers see a "Not Secure Website" warning they normally react one of two ways. If they do not take security seriously, they will ignore it and presume everything is okay. If they take security seriously, they will leave your website assuming you do not take security seriously, never to return. Most modern browsers will block the more malicious types of mixed content and in doing so may stop your website from loading. The best solution is to make sure that these warnings and or blocks do not happen by correctly configuring your website to serve only secure content

What Causes Mixed Content Warnings?

Mixed content warnings can appear when you forced a redirect from "HTTP" to "HTTPS" for your website

Web developers sometimes use absolute paths in the site’s code to link to resources like CSS and JavaScript instead of using relative paths

Images have hard-coded URLs that point to HTTP

You are using HTTP versions of external scripts - jQuery, Font Awesome, etc.

You are using embedded video scripts that the referring website are using HTTP protocol instead of HTTPS

SSL content warnings fall into two categories
Passive content and Active content

Passive Content

Passive content refers to items which can be replaced or altered but can not change other parts of the page – for instance, a graphic or photograph. The most common cause of all mixed content warning is when a secure website is configured to pull images from an unsecured website or source. Passive HTTP requests are served via these tags:

Active Content

Active content can alter the web page itself. A java script, PHP script or other scripts could allow a request for HTTP content on any HTTPS page to be intercepted and/or rewritten. This makes malicious active content very dangerous. User credentials and or sensitive data can be stolen, or malware installed on the user’s computer system. Example: A bit of JavaScript on an web page designed to generate a random password could be replaced by code providing a pre-generated password instead and or to deliver an otherwise secure password secretly to a third party. Active mixed content can be exploited to compromise sensitive private data, but even public web pages which seem innocuous can still redirect to dangerous sites, deliver unwanted content or steal cookies for exploitation
Active HTTP requests are served via scripts, links, CSS stylesheets, XML Http Requests, iframes

All modern browsers will block active mixed content by default (which may stop an incorrectly-configured website from loading)

domain hosting resources

How to Fix Mixed Content Warnings

Securing your website lets your visitors trust you which today is vitally important. However eliminating the insecure content from the website has an even greater value of eliminating false positive warnings. If your Secure website is compromised, any insecure element an attacker inserts will trigger the mixed-content warning. The best way to avoid mixed content issues is to serve all content via HTTPS - NOT HTTP

For your own website serve all content as HTTPS and fix your links. Often the HTTPS version of the content already exists and this just requires adding an “s” to links
http:// to https://
Or for links with in your own website use “relative URLs” or links with out the "http://"
A example might look like

In fact all internal links with in our website "http://rshweb.com/" uses “Relative URLs” links. As you can see these works just fine

Use the HTTPS version if available. If HTTPS is not available, you can try contacting your hosting company and asking them if they can make the content available via HTTPS

If they offer no help try using a different company that does allow SSL

Forcing a Redirect from HTTP to HTTPS

If you are using cPanel with your hosting account you can enable "Enable Force HTTPS Redirect" just by checking the appropriate box
However if you do not have cPanel available or you need to enable it by hand you can to do this via your .htaccess file

1) Edit or create a .htaccess file in the folder your website is being served from. Normally this is the "/public_html" directory. You can easily edit the .htaccess file using an FTP client and text editor
2) Add the following code to the .htaccess file:

# BEGIN HTTPS Redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# END HTTPS Redirect

Save the file and check the results in your web browser by trying to access your site using standard "HTTP" rather than "HTTPS"
If it is working correctly, you should automatically be redirected to the "HTTPS://" version of your website

How to Fix Mixed Content Warnings - Insecure Requests

“Upgrade Insecure Requests” is a CSP (Content Security Policy) directive that allows you to tell to a web browser that all the resources on your website must be accessed via HTTPS
Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content warning

Upgrade Insecure Requests is supported by Mozilla Firefox, Google Chrome, Microsoft Edge, Opera, Android, Chrome for Android, Safari

To implement this, you only need to add the following lines of code to your ".htaccess file":

# BEGIN Fix mixed content warnings
<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

# END Fix mixed content warnings

Again Save the file and check the results in your web browser by trying to access your site using standard "HTTP" rather than "HTTPS". If it is working correctly you will be automatically redirected to "HTTPS"

As always, our customer support team is here to answer any questions you may have

Comments, questions or leave a reply

Leave a Reply




COMMENTS

Howard H
Thank you, Do you guys ever help with website you are not hosting?
Yes RSH Web Services will help where we can


Alan E
Thanks again for sharing and inspiring us, Keep it up guys


Susan A
Enjoyed reading these articles


Tweet  Share  Pin  Tumble  Email