How to fix "insecure content was loaded over HTTPS, but requested an insecure resource"

S

6

62

I can't find the insecure content and the Chrome keeps complaining,

Any ideas?

Surmount answered 3/2, 2016 at 13:16 Comment(1)

Use that new Security tab in developer tools. Should show you exactly which resource is insecure. – Snuggery 3/2, 2016 at 19:23

F

35

"Mixed Content" warnings occur when an HTTPS page is asked to load a resource over HTTP.

This is dangerous because the insecure resources are vulnerable to alteration by an active attacker or eavesdropping by a passive attacker, which violates the user's expectation of security for an HTTPS page.

https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content?hl=en

Flory answered 3/2, 2016 at 13:24 Comment(1)

What about the development phase? Do I really need to set up HTTPS just to be able to test downloads? Where is the logic in that? – Brachiopod 27/2 at 2:29

D

72

Update the links via adding a meta tag like below

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Note: This is a hot fix when you update your production from non-ssl to ssl, anyway you have to fix all the links one by one to https.

Derron answered 25/8, 2019 at 14:27 Comment(3)

It does not help – Capful 15/7, 2020 at 10:10

It did help me. – Stereoscopic 21/9, 2023 at 11:58

Deprecated. It's no longer working. – Brachiopod 27/2 at 2:27

F

35

"Mixed Content" warnings occur when an HTTPS page is asked to load a resource over HTTP.

This is dangerous because the insecure resources are vulnerable to alteration by an active attacker or eavesdropping by a passive attacker, which violates the user's expectation of security for an HTTPS page.

https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content?hl=en

Flory answered 3/2, 2016 at 13:24 Comment(1)

What about the development phase? Do I really need to set up HTTPS just to be able to test downloads? Where is the logic in that? – Brachiopod 27/2 at 2:29

W

6

You are trying to access via "http" on a "https" site, its best to use "https" content. You shouldn't access insecure data on a secure channel.

Wivestad answered 16/6, 2016 at 7:47 Comment(3)

Sometimes just use 'http' instead of 'https' can solve this issue. – Kristoforo 24/5, 2017 at 9:40

i call my laravel apis from ionic app that hosted app on index page as application and my server https and i call https but error said please call https i dont know my dokcer use ngnix and how can i configure docker or ngnix stackoverflow.com/q/56157129/308578 – Parotid 17/5, 2019 at 14:43

Really? What about the development phase? Where is the logic in that? – Brachiopod 27/2 at 2:30

S

2

I had this error with an iframe to another website. I changed the src from "https://website.com/folder" to "https://website.com/folder/index.php" and for some reason it works.

Sally answered 8/2, 2022 at 11:5 Comment(1)

I had the same problem! I added /index.html and it worked! You saved the day – Evante 14/6, 2022 at 13:25

T

0

If you're using nginx as a reverse proxy, modify the ssl server block to include this line.

server {
    listen 443 SSL;
    # Proxy settings
    add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}

Trygve answered 18/1 at 4:1 Comment(0)

B

0

In my case, the blocker was at the path. The path I used it was not allowed by the HTTP server. So, make sure your HTTP server allows the path toward your downloads.

My case. I use Flask with path outside "static" directory. Flask does not allow that by default. Once I put in "static" directory (or I instructed Flask to allow my new path), it worked and the error disappeared without any other action from my side.

I hope it helps those who still have this issue.

Brachiopod answered 27/2 at 2:43 Comment(0)

Recommended topics

Hot tags