For most visitors the green padlock next to your URL makes them feel safe when entering a password or credit card number on your website. The green padlock has become the symbol for a secure website where all traffic to and from the domain is encrypted and protected from prying eyes.
Cloudflare has aimed at putting an end to insecure, unencrypted Internet traffic. Universal SSL has made switching from http:// to https:// as easy as clicking a button, Origin CA has driven the price of a SSL certificate for your server down to zero, and Dedicated Certificates offers turnkey SSL certificate management eliminating most of the maintenance tasks associated with traditional SSL certificates.
In 1997, Internet Explorer 3.0.2 warned users of sites with mixed content with this dialog box.
Today, Google Chrome shows a circled i on any https:// that has insecure content.
Despite these various options, there are still a number of websites that have found enabling SSL difficult and error prone. Identifying and correcting resources that are hard-coded to be loaded over HTTP can be challenging in legacy applications and online publishing platforms. Reliance on 3rd party content and functionality outside domain control can make corrective actions almost impossible.
When websites send both secure (https://) and nonsecure (http://) content from the same page they end up with a problem known as mixed content. When you serve mixed content, the unencrypted resources eliminate the green padlock next to your URL while exposing that data to eavesdropping and tampering vulnerabilities.
Finding and fixing mixed content can be a very challenging and time consuming task. Cloudflare eliminates the manual process of updating resource paths by offering a one click solution; Automatic HTTPS Rewrites.
Automatic HTTPS Rewrites safely eliminates mixed content issues by rewriting insecure URLs dynamically from known secure hosts to their secure counterpart. Cloudflare maintains a list of known secure hosts that includes the Electronic Frontier Foundation excellent HTTPS Everywhere extension and Google Chrome HSTS preload list.
By enforcing a secure connection, Automatic HTTPS Rewrites enables you to take advantage of the latest security standards and web optimization features like HTTP/2 and Server Push which is only available over HTTPS. Automatic HTTPS Rewrites eliminates errors in your visitor’s browser when loading content by loading secured content over unsecured, allowing them to see a green padlock next to your URL on their browser.
Is your website having issues with mixed content? Automatic HTTPS Rewrites is available on all Cloudflare plans, including Free. Sign up for a Cloudflare plan today and eliminate mixed content today.
Mixed content comes in two different categories: passive content and active content. The two different categories define the threat level each type of mixed content can pose if content is rewritten as part of a man-in-the-middle attack.
Passive mixed content refers to unencrypted content that cannot interact with other elements on the page (parts of the Document Object Model) thus posing a lower security threat compared to active content in a man-in-the-middle attack scenario. Tampering with passive content such as text, image, video and audio is limited to the content itself while the rest of the encrypted content on the page remains protected.
Active mixed content refers to unencrypted content that can has the ability to interact with other elements on the page compromising the security of the entire page. Active content includes elements such as iframes, scripts, stylesheets, Flash resources, and other elements that have attributes (e.g. src, href, url, and data) that can make HTTP requests to remote domains.
The risks associated with mixed content vary based on the type of mixed content you have and the data your web page may expose. While passive mixed content poses a lower threat than active mixed content, attackers are constantly finding new and creative ways to exploit vulnerable pages. Whether your mixed content is passive or active, Automatic HTTPS Rewrites offers a one click solution that safely eliminates mixed content issues by rewriting insecure URLs dynamically from known (secure) hosts.
Learn more about Automatic HTTPS Rewrites on our blog.
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.