This page contains both secure and nonsecure items

Sometimes creating a secure page is easy – you just change the http to https and you’re done. On other times you open the page in Internet Explorer and it starts complaining about unsecure items on the page. It’s annoying because many users get scared away thinking something wrong is going on. Or it’s just annoying since you don’t want to click ok every time you load a page.

To remove this alert follow these simple rules. After you do something reload. If there’s no more alerts you succeeded. Otherwise go on. If you get in a jam leave a comment and I’ll try to find one and add a rule.

  1. Change all http:// resource links to https://. The doctype is not a problem. All others (images, css, javascripts, iframe pages) should be https://.
  2. Change all about:blank links (yep, these are unsecure) to a blank file that exists and is a https:// link.
  3. Install Fiddler and check if there are any hidden requests to http:// (it won’t show https:// requests with the default setting). Change them to https://
  4. Check if any iframes have # for src or the src is left blank. Change them to something that is a https:// link and exists. Looks like # is actually an alias to about:blank.
  5. Find any resources that return an error (404, 500). This one is tricky since it’s not really easy to set up an SSL proxy. Try checking the server’s access logs.

The trick behind these is that any data that comes from an unsecure source triggers the alert. Unsecure data might come from a http:// link OR a built in page. Built in pages are for example about:blank. BUT what you wouldn’t expect is that also Explorer’s built in error pages are unsecure. So if you get a 500 or 404 error and Explorer decides to display its internal error message you will get an alert.

This might not be all but I think it should be enough.

58 Responses to “This page contains both secure and nonsecure items”

  1. thank you so much for this!!! very helpful :-)

  2. hitesh says:

    Hi,

    I need your help, in my one site i have to integrate SSL & i remove all absolute path & http:// path from my site but there is some external links are there which is creates problem to me & those links are not working with https://… so what i have to do?

    Please help me, thanks in advance…

  3. Links are not a problem, resources are. Any http resources as well as any empty resources are insecure. If that doesn’t work remove code part-by-part to find out what triggers the nonsecure message…

  4. hitesh says:

    There are many external links & many external images path & javascript path but that is i can’t remove because it is used in site, so what is the solution for ssl?

    Can you help me & give me proper solution i m stuck up in this task.

  5. hitesh says:

    I find out the issue it is because of some images & js are coming from other site, now in ssl page it is create problem & i m also not able to give https:// link to those images path bcoz those sites are not ssl enabled.

    And also not able to download images & js from those sites give our sites path because they dont allow it.

    So what to do, please help me.

  6. Images are not a problem, JavaScript is. Remove the JavaScript or move it to your own server that can serve it as https.

  7. hitesh says:

    In my site there one external css & js which is creates problem for me in HTTPS, and i can’t remove that because it is important, and also not able to download and set it up on my site…
    They are also not provide css & js with https code…

    So what to do? Please give me solution…
    Thanks…

  8. If you can’t move that content into an iframe then you can’t do a thing…

Leave a Reply