Fix 'insecure mixed content' error #116
Description
I am getting complaints from Netlify that the learningresources website is serving insecure mixed content.
Background (insecure mixed content)
HTTP serves content through an un-encrypted channel, which means anyone can intercept the content and modify it without anyone knowing. That is why websites are recommended to activate HTTPS (which our website does), to send them through an encrypted channel.
However, even if the webpage is served in HTTPS, if the webpage embeds other resources using HTTP, then the embedded resources themselves can be compromised, even if the main webpage cannot be tampered with. Hence, this is 'insecure mixed content'.
Problem
Netlify found several images that are served through http rather than https (see the Netlify log for the list of insecure images).
Solution
-
Force browsers to always access content via the
httpsprotocol by using a meta tag. That way, regardless of whatever protocol the page authors specified for their resource's reference uri, it will always be served throughhttpsprotocol.
This can be done by putting the following in_markbind/head/head.md:<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
-
Some
httpcontent just don't havehttpsequivalent, so forcinghttpswill cause them to be broken. So, we either have to (1) save these images onto our repository and serve it ourselves, (2) find alternative subsitutes, or (3) not use them.
The list of images that needs checking and fixing can be found in the Netlify logs.
Note: Be sure to put proper attribution if you do (1)!
For more info: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content