This page contains both secure and nonsecure items
Sometimes creating a secure page is easy - you just change the http to https and you’re done. On other times you open the page in Internet Explorer and it starts complaining about unsecure items on the page. It’s annoying because many users get scared away thinking something wrong is going on. Or it’s just annoying since you don’t want to click ok every time you load a page.
To remove this alert follow these simple rules. After you do something reload. If there’s no more alerts you succeeded. Otherwise go on. If you get in a jam leave a comment and I’ll try to find one and add a rule.
- Change all http:// resource links to https://. The doctype is not a problem. All others (images, css, javascripts, iframe pages) should be https://.
- Change all about:blank links (yep, these are unsecure) to a blank file that exists and is a https:// link.
- Install Fiddler and check if there are any hidden requests to http:// (it won’t show https:// requests with the default setting). Change them to https://
- Check if any iframes have # for src or the src is left blank. Change them to something that is a https:// link and exists. Looks like # is actually an alias to about:blank.
- Find any resources that return an error (404, 500). This one is tricky since it’s not really easy to set up an SSL proxy. Try checking the server’s access logs.
The trick behind these is that any data that comes from an unsecure source triggers the alert. Unsecure data might come from a http:// link OR a built in page. Built in pages are for example about:blank. BUT what you wouldn’t expect is that also Explorer’s built in error pages are unsecure. So if you get a 500 or 404 error and Explorer decides to display its internal error message you will get an alert.
This might not be all but I think it should be enough.
August 2nd, 2006
by Craig
Good article.
Was exactly what I was looking for. I did a find and replace on http:// to https:// and the message went away.
Cheers,
Craig
September 20th, 2006
by Lance
This was perfect!! I have been racking my brain on the problems with this message popping for two days. Thank you so much for posting this!
By the way–Fiddler is essential if people out there aren’t using it yet!
October 26th, 2006
by Varnikov
It’s better to install HTTP Analyzer for IE insteed of Fidder.
Great article! Error resources have to check.
November 6th, 2006
by Kristoffer
No, its not better to grab one for IE then FF, always dev in FF and only check that it works in IE. also for IE bugs i use this procedure.
November 6th, 2006
by ego
@Varnikov: Any traffic analyzer should work just fine - the ones listed were free at time of writing.
@Kristoffer: I don’t know what you’re trying to say - this post is written about a specific problem in IE that does not appear in FF.
November 9th, 2006
by John Duke
There is a really cool fix for this at http://www.htaccesselite.com/htaccess/fix-for-warning-page-contains-secure-and-nonsecure-items-vt129.html
Basically you can use mod_rewrite in an htaccess file to internally redirect https:// to http:// so that you can post https://x.com/image.gif to eliminate the warning message, but the server will internally request http://x.com/image.gif instead!
March 13th, 2007
by Murugesan
I want to disable this warning message in each and every pages. Do u have any code to disable this one.?
Regards
Murugesan
March 14th, 2007
by Adam Ainsworth
Brilliant! I’ve been pulling my hair out all day trying to find the problem with my page and this article solved it. Thank you very much!
April 9th, 2007
in outbreak » The first year (written on April 9th, 2007 by Marko Mrdjenovic)
[...] Google Analytics say that the most popular post by far is This page contains both secure and nonsecure items, JS:Sorted Table page trails at only 20% of hits of the ‘winner’. [...]
April 11th, 2007
by Joshua Oliver
Hi,
We are having some problems with this issue for this page:
https://www.speedystamps.com.au/order.php?type=2
Any idea’s would be great :)
Thanks
April 13th, 2007
by Pablo Alarcon
Thank you very much, all my problems has gone !!
August 8th, 2007
by Craig
If you would like to turn this essage off for all websites in IE7. Navigate to Internet options. Under the security tab click on the internet icon. Then click the custom level button. One of the settings about half way down will be “Display mixed content”. Click enable under this option and that annoying litle window shoud never pop up again.
August 14th, 2007
by Don
Joshua Oliver said,
on April 11th, 2007 at 03:25
Hi,
We are having some problems with this issue for this page:
https://www.speedystamps.com.au/order.php?type=2
Any idea’s would be great :)
Thanks
The problem is the Macromedia include:
Fully qualified using Http://
August 30th, 2007
by jesse
I’m not a programmer - just an annoyed user. Everytime i load my company’s sharepoint page i get the security information popup. Is there a setting in IE that i can disable this? I use Mozilla for every other website, so i’m not concerned about my security settings. thanks.
October 1st, 2007
by Michael
Thank you for the helpful article. I was able to track my issue down to an iframe with missing ’src’ attribute - looks like this is interpreted as ‘about:blank’ as well and leads to the same misbehavior
December 6th, 2007
by sherif sakr
Great thank you very match , it is very useful , all my problems a bout that issue overed
December 27th, 2007
by Saj
I was looking into the same issue.
Thanks a lot.
February 22nd, 2008
by clay
i tired this with ie7 and it didnt work for me. maybe i missed something but i could only fiz this problem by changing my browsers setttings.
March 8th, 2008
by Katina
Hi,
Is this in IE or a website problem that can be totally resolved? I just opened a site and the pop-up is driving the members insane, including me.
We have a SSL site, so how can the developer change the settings to get rid of this problem? Would he have to change many of the pages, or should I send an email to all of the members asking them to configure their IE browsers?
I’m still stuck, sorry.
Thank you for the great info.
–Kat
One Stop Write Shop
http://www.onestopwriteshop.com
Don’t worry Writers, we are lookint in to this issue!
Help is on the way!!!!
March 13th, 2008
by Chris
Fiddler2 didn’t help me much. IE6 gives me that error, and Fiddler2 shows http requests, but lists them as a “HTTPS CONNECT Tunnel”. These requests are all to the root domain, so I’m not sure what they’re for or if they’re causing the error. All requests to actual content at listed as https…
March 17th, 2008
by Ahmad Rahman (ahmad@trustit.ca)
I have tried what i think is everything on a site we just developed and can’t figure it out. The site is http://www.te ch or ium.c om (remove spaces). To see the issue (in IE) just add any product to the cart and then go to check out and the infamous message secure/nonsecure appears. Any suggestions will be greatly appreciated. I have even tried removing the entire header and left column which use background images, and even disabled the CSS completely, to no avail.
Thanks.
March 27th, 2008
by Pablo
Thanks a lot from Argentina
(I found an iframe with missing ’src’ attribute).
April 7th, 2008
by Scott
My problem was that I had two iFrames, one that was visible, and one that could be toggled on and off in place of the other one. That hidden iFrame was without an src (souce). Once I added in a source file, everything was fine.
Hope this helps someone pulling their hair out.
April 10th, 2008
in JIRA: Baydonhill Corporate FX
[BH-152] “This page contains both secure and nonsecure items” message on Bhonline…
We identfied 2 solutions for this issue.
1. Change all http:// resource links to https:// in the application.
2. Change Browser settings (set mixed content to enable under the Internet zone)
Refer below urls for more info.
http://ask-leo.c….
April 10th, 2008
in outbreak » Another year gone by (written on April 10th, 2008 by Marko Mrdjenovic)
[...] Top content is still This page contains both secure and nonsecure items, Messing up the interface coming in at a distant second with merely a third of the visits. [...]
April 11th, 2008
by Evie
I understand that links to pages within the website need to start with https instead of http, but what about links to other websites? I have two links at the bottom of my website to my other two websites. The more links the better right? They are advertising links. Would they cause this problem? Does this mean that for my site to be secure, I can’t have advertising links on it?
I tried making only the 3 checkout pages secure, by making the Add to Cart button link to the https pages, but the other pages continue to point to https and still gettting that irritating message. How can you let only 3 pages be secure and let the rest be http? It seems that those 3 pages would not be able to have any links to the other pages in the website……HELP!
April 11th, 2008
by ego
Only the resource links are the ones that matter - links to other pages can easily be http://. Resources are images, CSS, JavaScript, Flashes, … If you paste the link here maybe we can help you.
May 30th, 2008
by Jerry
Great!
This article really helped me. I had some sleepless nights while solving this “feature”. I didn’t even imagine that blank src in a frame tag may cause this. Our project is pretty big, only one stupid blank src caused problems (switching to https).
Thank you!!!
June 19th, 2008
by krupa
PLZ HELP. I found the missing src in Iframe tag.. but i cant replace it with something else, since initially it has to be blank..and it gets assigned dynamically. what do i do ?
June 21st, 2008
by ego
change the src so a page that will be “empty” as in not have any content in the body of the html. it has to be a document and not a 404 though…
July 2nd, 2008
by Mark
you can also try setting src=”javascript: false;” on your iframe
July 7th, 2008
in IE errors… sigh. | munsinger
[...] checklist [...]
August 13th, 2008
by James Walters
I get this only on a page which has a variant of lightbox (rgsmoothgallery extension in a Typo3 v4.2 site), but it happens in IE 5, 6 & 7. If you click on “No” in the dreaded Security Alert pop-up, the images for the slideshow control buttons don’t display. After you reference all of them in the css with the whole url (http:// … ), those images all DO display even when you click on “No” … but that doesn’t stop the dreaded alert window popping up, so there must be something else in the js somewhere
August 14th, 2008
by ego
James I think you solved your own problem - the images are http:// links when they should be https://
August 22nd, 2008
by Mel Riffe
Howdy, found your article today since I’m having the same problem. I’ve checked everything and the only thing I can find is the use of the xmlns attribute of the html tag. I’m trying to use xhtml in my pages. Could IE6 be complaining about this attribute? Here’s what I have in the page:
Cheers,
Mel
September 4th, 2008
in IE errors… sigh. and Opera. | munsinger
[...] checklist [...]
December 24th, 2008
by linaldo
think what i just have to do is to thank you folks your counsel and this page have been very helpful all the errors are gone now no more trouble on the web site
January 23rd, 2009
by dragon
If using Articulate presentations, check out this article:
http://www.articulate.com/forums/articulate-presenter/2297-secure-server-insecure-content-warning.html
January 31st, 2009
by Michael Deering
If anyone else is having James’ issue with lightbox the offender is the line in lightbox.css containing url(data:image/gif;base64,AAAA). Remove that line and you should see the warning disappear.
February 20th, 2009
by Carlos Moreno
I did all the checks you guys post in here, I changed all the http: for https:, remove the src=”" and I even change href=”#” for href=”", but the site it is still say that “This page contains both ….” in IE6 only
February 20th, 2009
by ego
I’m guessing it’s the 404 errors on some images that trigger IE to use it’s own error which is insecure. Fix the 404s and you should be ok.
February 26th, 2009
by sutr kam
Hi I have some tag i put src= but the problem doesn’t solved.
I know that there is another solution Tools-> Internet Options-> Security Tab-> Internet highlighted-> custom level-> miscellenious -> mixed content change from prompt to enable
but i want to solve this from my page
what to do now
February 26th, 2009
by sutr kam
In above post i have forgotten to mention the tag
the tag is and the alert is not fired in ie7 but i have to use ie6 only what to do now
February 27th, 2009
by ego
Well to start of you should go through the check list and if you can’t find a problem post a link…
March 10th, 2009
by Mohammed Idris
Great article through which I have solved my all queries.
Thanx mates..
May 11th, 2009
by sandeep upadhyay
your article is excellent, it’s really help me, thanks so much
June 18th, 2009
by TPav
My situation turned out to be Flash related. The codebase tag. More info here. http://kb2.adobe.com/cps/165/tn_16588.html
October 19th, 2009
by Per
Thanks a lot for your article. Didn’t know that iframe-src left blank would produce this error. Helped us solve an old problem.