With the switch from http to https happening gradually over recent years, for some websites the change is not yet complete and there are still elements hanging around with an unsecured connection.
It’s fair to say that as a website owner it can feel as if you are on a never-ending conveyor belt of updates and error fixes but fear not.
Mixed content is a serious security issue that will adversely affect your sales, website security, performance and SEO so it is urgent maintenance that must be done. Here’s a quick and simple guide, in layman’s terms so you can get this error fixed and return your focus to running your business.
Read on for a clear explanation of what mixed content is and how you can fix it easily.
What is mixed content?
We know that https connections are valid under SEO so if you have some content on a web page still operating under an old http connection you are compromising the validity and security of the web page even though the web page itself has a https connection.
The mixture of content on a single web page with some elements loaded under http and other parts under the newer https is called mixed content.
What causes mixed content errors?
Even though the web page URL has a https extension, any features on the page using a http extension are not operating with the extra security layer https delivers.
As a result any interaction with a web page with mixed content is not secure and is most likely to be blocked by browsers. Mixed content can be caused by having a http URL linked to any element of the page so that could come from videos on the page, coding, images etc.
It’s like having a secure front door and leaving the windows open. Mixed content leaves holes in your website security, puts your user’s personal data at risk, diminishes your website SEO, causes blocked pages and security error warnings being sent to your users.
With some of your web pages blocked by the browser, your website won’t work properly and will look broken.
At present, mixed content is an issue for a number of websites that have not been updated properly so as you can imagine, hackers have been quick to actively exploit these website security flaws to disastrous effect.
Without the full TLS security that https delivers for your website privacy and data protocols, hackers have an easy gateway into your site.
The holes in your mixed content will provide hackers with the capability to hack the compromised page in a multitude of ways plus any user interactions that occur via the web page, putting the security of both you and your users at risk.
Clearly mixed content is an issue that should be fixed as a matter of urgency. Here are 4 top ways to fix mixed content issues quickly.
How to fix mixed content
Here are four ways to fix mixed content quickly and easily:
1. Identify where the issues are
Use a tool to search your website for any pages where there is mixed content. Popular tools include: Mixed Content Scan SSL Check,HTTPS Checker, JitBit Scanner, Firefox Web Console Security Messaging, Why No Padlock or McDetect.
If you wish, you could make the checks manually yourself through a number of approaches although these methods are obviously more cumbersome. You could:
- open each page of your website and check the browser bar has a green padlock and https displayed.
- sift through all of your website urls to see if any show up as http instead of https, if they do there is likely to be mixed content present on the page.
- open each web page in Chrome and see if you receive any mixed content security error warnings after right clicking on the page and selecting Inspect Element then Console.
- open each web page using http then https and see if any elements don’t display properly, have an error sign over them or are missing – those features are likely to be causing mixed content on the page.
2. Amend the URL
When you do find a web page where there is an issue with mixed content e, essentially the fix you need to do is to ensure all of the elements have a https url.
If for example, the error is contained within the written code you’ll need to change the text from http to https.
There are a number of options as to how you execute these changes but remember any change from a http url to a https url must be checked once fixed to ensure the connection still works.
If the connection no longer works, you’ll need to update the element with a new one because mixed content is not something you can afford to have on your website.
3. Root out all issues
Manually checking through all the elements on a web page with mixed content is a laborious job so utilising an online solution such as Chrome Security Panel can be extremely helpful.
Chrome Security Panel will show you the files and connections that are causing the problem so you don’t have to check through every feature and piece of code for the page.
Whilst you do the work it is possible to launch an Upgrade Insecure Requests Directive using the code below. This directive will ask all browsers to automatically update your pages to https but obviously this is an interim solution whilst you properly remedy the root of the problem.
4. Automatic alerts
If you want to keep an eye out for mixed content in future, update your HTTP response headers with the code below so you can receive alerts if any of your website visitors encounter mixed content again.
Content-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri https://example.com/reportingEndpoint
It can feel strenuous to keep on top of all the changes and fixes business websites require to operate fully. However, website maintenance is essential if you want to run a successful online business that’s why we offer a complete range of digital solutions for business websites.