Skip to main content
Drupal Documentation for SCLS

Main navigation

  • Home
  • How-To Info for Library Staff
  • Drupal 10
  • Help

Breadcrumb

  1. Home
  2. How-To Info for Library Staff

Avoid mixed content warnings (HTTPS/HTTP)

Web browsers may display "mixed content" warnings in the address bar when an HTTPS (secure) webpage contains images, iframes, or other resources from HTTP (non-secure) source URLs on other websites. This may cause the whole page to be delivered insecurely.

  • Staff should keep an eye out for "mixed content" that causes pages to not display as HTTPS.
  • Staff should update links, images, and embedded content on the site to make it HTTPS where possible.

Jump to:

What does it look like when a page has mixed content?

How to find HTTP content causing the mixed content warning

Steps to fix a page with a mixed content warning

What does it look like when a page has mixed content?

You can recognize a page with mixed content because the left side of the address bar will show a padlock with a yellow warning triangle, a shield, or no padlock at all. Clicking the "site information" button may display a warning message. NB: The specific icons and indicators may change as web browsers release new versions.

Chrome mixed content warning: No padlock.

Image
Chrome mixed content warning

Chrome insecure content warning: Shield icon.

Image
Chrome insecure content blocked shield icon

Firefox mixed content warning: Padlock with warning icon:

Image
Firefox mixed content with padlock warning

Internet Explorer mixed content warning: No padlock.

Image
Internet Explorer no padlock

How to find the HTTP content causing the warning

Frequently, mixed content warnings on an HTTPS site are triggered by:

  • Media content hosted at another site, intended to be embedded on many sites (like videos, slideshows, timelines, etc.).
  • An image with an HTTP URL from a different website.

Drill down

  1. Visit the page with the mixed content warning while logged into your site.
  2. Click the Edit tab.
  3. Find an image/iframe with the HTTP URL in the Body/Description field.
  4. Right-click the image/iframe and select Image Properties or IFrame Properties.
  5. Check the URL field for an address that begins with "http://".

Fix it or remove it?

Decide how much work you are willing to do to fix this. Consider removing the non-HTTPS content if:

  • The image is on another website and you don't have permission to use the URL. This is considered hotlinking or bandwidth theft and should be avoided (as a matter of ethics and also to provide better security for visitors).
  • It's related to a past program and patron interest in the page has died down.
  • It's "nice to have," but you would rather eliminate the mixed content warning as quickly as possible.

If any of the above apply, just delete the HTTP image/iframe. Save the page and check to make sure the mixed content warning is gone.

What about Syndetics cover art? Isn't that hotlinking or bandwidth theft too?

Using Syndetics cover art is allowed because license terms include permission for LINKcat libraries to use this content on their websites; also, Syndetics content is provided with HTTPS URLs.

Steps to fix a page with a mixed content warning:

  1. Visit the page with the mixed content warning while logged into your site.
    Image
    Chrome insecure content warning
  2. Click the Edit tab.
  3. Find an image/iframe with the HTTP URL in the Body/Description field.
  4. Right-click the image/iframe and select Image Properties or IFrame Properties.
    Image
    Right-click to select iFrame Properties
  5. Copy the URL of the image/iframe.
    Image
    Copy the HTTP URL
  6. Open a new browser/tab, paste in the image or iframe URL you copied, and hit enter to visit it.
    Image
    Paste in the HTTP URL
  7. Check if it automatically changes itself to HTTPS. If it stays HTTP, try adding "s" to the "http" in the URL and hit enter.
    Image
    You may need to type "https" at the front of the URL to test
  8. If the image/iframe loads correctly at the HTTPS URL, copy it from the address bar.
    Image
    Copy the HTTPS URL
    1. Go back to where you were editing. In the Image/IFrame Properties dialog, add the copied HTTPS URL instead of the HTTP one.
      Image
      Paste the HTTPS URL into the IFrame URL
    2. Click OK to exit the Image/IFrame Properties dialog.
  9. If the image/iframe does not work at the HTTPS URL, you may choose to:
    1. Find an alternate version of this resource that has an HTTPS URL. Many sites that were not HTTPS in the past are now, and may provide new embed codes that are HTTPS-friendly.
    2. Save a copy on your computer and upload it to your own site where it will be secured with your site's SSL certificate. (Assuming you have permission, or it is public domain or fair use.)
    3. Delete the image on your page.
  10. Save your changes and check to make sure the mixed content warning is gone.
    Image
    Confirm that the URL is secure with no warnings

Book traversal links for Avoid mixed content warnings (HTTPS/HTTP)

  • What is Cron?
  • Up
  • LINKcat Title List (Experimental)
  • Managing Accounts for Your Drupal Site
  • Images
  • Creating and Editing Website Content
  • Uploading Files to Media
  • Changing Menu Links
  • Creating Photo Albums & Galleries
  • Folders, Directories, and File Structure
  • Blocks
  • Paths and URL Aliases
  • Configuring Site Information
  • Developer Permissions
  • Homepage Variations
  • Events/Programs with repeating dates
  • Registration for Events/Programs
  • What is Cron?
  • Avoid mixed content warnings (HTTPS/HTTP)
  • LINKcat Title List (Experimental)
  • Performance settings: Cache pages for anonymous users
  • Slick Carousel
  • Uploading Files with IMCE

Tags

accordion (1)
account (2)
anchors (1)
blocks (0)
cache (1)
carousel (2)
CKEditor (5)
configuration (1)
content types (1)
CSS (1)
disable rich-text (1)
Drupal 10 (15)
Drupal 9 (16)
email (2)
embed code (1)
Entity Registration (5)
events (6)
file browser (1)
files (4)
files media (1)
folders (1)
formatting (2)
front page (3)
Google Analytics (1)
headings (2)
HTML (1)
iframe (2)
images (4)
imce (1)
Layout Builder (3)
link a pdf (1)
links (5)
login (1)
media (2)
menus (3)
nodes (1)
openid (1)
paste as plain text (1)
paths (4)
performance (1)
photo albums (1)
photo galleries (1)
redirects (3)
registration (5)
remove format (1)
repeat dates (2)
reports (1)
revisions (1)
sidebars (0)
site name (1)
slogan (1)
source (1)
sticky (2)
text formats (1)
themes (1)
toolbar (2)
URL aliases (4)
Webform (2)
widget (1)