Non-Secure assets on secure page

Rule from links under content category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

Serving unsecured javascript or css allows an attacker to modify seemingly secure page content, effectively bypassing any encryption. Unsecured javascript (and css) can be modified (on the fly) by an attacker — especialy on unsecured public networks.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Seemingly Secured Page</title>
</head>
<body>
  <p>Page content</p>

  <!-- BAD, uses unsecure http even if https is available -->
  <script src="http://externaldomain.com/externalResource.js"></script>
</body>
</html>

How do I fix this ?

Use protocol relative urls for internal and external resources, but make sure the external resources are available on https.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Secured Page</title>
</head>
<body>
  <p>Page content</p>

  <!-- GOOD, fetches with https if the current page was fetched securely -->
  <script src="//externaldomain.com/externalResource.js"></script>
</body>
</html>

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started