Fix Mixed Content (nonsecure items) Error on SSL Secure Site

By Nikita Gupta - Published on : Dec 31, 2015

SSL certificates are a great backbone of online security so online shoppers, financial organizations, banking sectors and other organizations which put customer’ security on priority base. However, it is not sufficient to have an SSL certificate for login form or payment gateway, you should implement it on your entire website including frames, iframes, flash, JavaScript. Ignoring such nonsecure elements can cause mixed content error “This page contains secure and non-secure items” that can decrease the trustworthiness of the website.
mixed content ssl error

Types of mixed content error:

Generally, there are two types of mixed content errors: mixed scripting and mixed passive content. A mixed scripting error occurs when the HTTPS site runs a script file over HTTP site. It damages the security of the website. Browsers do not pass such type of content and block it. The second type of mixed passive content error happens, when the HTTPS site runs audio or image file over HTTP site. Such type of content is not a risk for website security and browsers do not count such error as strictly. Still, it is an unsecured practice for SSL secured website.

How does this impact website security?

Hackers can perform Man-in-the-middle attack and change data in transit and compromise the website as a result, the website will have loss of privacy and users’ data. Attackers can perform a DNS spoofing attack on such modified resources. Even users face warning about secure and non-secure content which is an unfriendly experience for users and drives away visitors of the website.

How to find nonsecure elements on the website?

Before fixing mix content errors on your website, it is essential to find the mixed content error. In that case, SSL2BUY brings “Why No Padlock” tool that can find out insecure images, CSS, Javascript. Just put URL name in the provided box, and within a blink, you will have the list of insecure elements on your website.

How to fix mixed content error?

There are few ways through which a website owner can fix the mixed content error and provides a smooth and secure experience for users.

Disable error on Chrome:

In Chrome, Google has introduced “Upgrade Insecure Requests” that treats the HTTP request as HTTPS and gets users rid of the mixed content error. It allows developers to update legacy content via HTTPS easily and they can offer better security to users.If you have no direct control over web server, then the owners have just to add a single line code shown below:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Disable error on Firefox:

For Firefox, Firefox has started to block mixed content since the arrival of version 23. Website owners have to serve all the content over HTTPS by changing in HTML source code.

Change URLs:

Open the insecure page that serves image, iframes, flash and search for http://. Modify the reference to all unsecured items to HTTPS. For example,

<img src="https://www.domain.com/image.gif" alt="" />

If you are loading an image from a different website which has no SSL set up, then the command will not work.

Change all links to HTTPS:

There is no need to change all links to HTTPS, but you just put command like below

<img src="//www.domain.com/image.gif" alt="" />

By applying the code, the browser will load securely in the case when the web page is served securely. If the web page is not secured then the image will load in normal condition.

If the image or script is on the same domain, you can use the following command:

<img src="/image.gif" alt="" />

Changing Browser Setting:

You can change the code of the page that shows the error, however if you have no access to it then you can follow below steps.

  1. Browse Tools>> Internet Options.
  2. Under “Security” Tab, click the “Custom Level” button.
  3. Scroll down to the option: “Display mixed content” and choose “Enable”.
  4. Choose ‘Enable’ and click Ok button.
  5. There will be a “Security Warning” pop-up. Click Yes.

Conclusion

When visitors see the warning they usually react in two ways. Either they proceed by ignoring security warning that could be risky for them or they will pay attention to the security warning and move from the website that reduces the effectiveness of a website and sales too. Therefore, it is advisable to fix mixed content error on your website and allow a secure browsing to users and visitors.

About the Author

Nikita Gupta

Nikita Gupta is a seasoned professional with a master's degree in Computer Applications. She brings over 10 years of profound experience to the realm of technology. Her exceptional expertise spans software security, data security, and mastery in SSL/TLS. When it comes to cutting-edge solutions for securing digital assets, Nikita is a dedicated pro.

Trusted by Millions

SSL2BUY delivers highly trusted security products from globally reputed top 5 Certificate Authorities. The digital certificates available in our store are trusted by millions – eCommerce, Enterprise, Government, Inc. 500, and more.
PayPal
Verizon
2Checkout
Lenovo
Forbes
Walmart
Dribbble
cPanel
Toyota
Pearson
The Guardian
SpaceX