Fixing mixed content errors
Accessing an HTTPS-enabled site that is serving insecure content will prevent the padlock icon from appearing in the address bar when visiting your website. Insecure content is usually comprised of images, scripts, video, or other media that is not being served through an HTTPS connection. In order to have the padlock icon appear in the address bar, and prevent any "not secure" message from appearing, a page cannot have any mixed content. This guide explains how to fix mixed content in order to get full HTTPS security and enable the lock icon.
If you require assistance with any step of this process, please contact our support team.
Check to see if your website has been secured with HTTPS
First, determine whether or not your website has HTTPS enabled. We are currently undergoing a large project to incorporate HTTPS encryption across all websites. To check if this feature has been enabled for your website, please see this document for instructions. If your website does not yet have HTTPS enabled, please contact our support team, as you will not be able to effectively test for mixed content without this.
1. Locate the mixed content
Your browser will only display a Mixed Content error if you are accessing the site through HTTPS and the page is serving at least one insecure resource. This is almost always some kind of media (images, video), or a script that is hosted elsewhere (eg Facebook, YouTube, externally hosted JavaScript). The easiest way to determine which resources are insecure on a given page is by using a tool like Why No Padlock.
On the Why No Padlock page, enter the HTTPS URL of the page you want to test, and click Test Page. An example of an HTTPS URL would be:
https://www.yourdomain.com/yourpage.html
Note the HTTPS protocol at the beginning of the URL.
On the results page, scroll down to the Mixed Content section to see the list of insecure resources.
Remember to also check individual product pages inside catalogs, individual articles/blog posts/press releases, and your site-wide footer.
2. Fix the mixed content
Is the insecure resource hosted with us?
If the insecure resource is an image or video hosted on your own website, this is fairly simple to fix. For absolute links that use the domain URL, simply update the protocol from HTTP to HTTPS, like so:
BEFORE: http://www.mydomain.com/i/image.jpg
AFTER: https://www.mydomain.com/i/image.jpg
For absolute links that use the subdomain, you will need to swap it out for the full domain and change the protocol:
BEFORE: http://mydomain.myhost.com/i/image.jpg
AFTER: https://www.mydomain.com/i/image.jpg
Alternatively, in either scenario, you can change the link to a relative one:
BEFORE: http://www.mydomain.com/i/image.jpg
AFTER: /i/image.jpg
BEFORE: http://www.mydomain.myhost.com/i/image.jpg
AFTER: /i/image.jpg
Is the insecure resource hosted elsewhere?
First, test the resource by attempting to access it in your browser via HTTPS. Simply copy the web address to the resource and change the protocol from HTTP to HTTPS. If you are able to view the resource via HTTPS, then it's being served securely, and you can simply change the protocol in the HTML tag.
If you are not able to view the resource via HTTPS, then the host is not serving it securely, and it must be removed in order to fix the mixed content warning. If the resource is an image or other media that you may legally copy, you can simply save it to your computer and upload it to your own website.
3. Test the page for mixed content
The easiest way to test if you have fixed all mixed content errors is to simply visit the page using HTTPS.
If you see the padlock in the address bar, there is no remaining mixed content on the page. If you do not see the padlock, then there is still mixed content - go back to step 2 and use Why No Padlock to scan for remaining mixed content.
If you require assistance with any step of this process, please contact our support team.
| 