Automatic HTTPS Rewrites

Solving the mixed content problem

Automatic HTTPS rewrite

Is your website having issues with mixed content? Automatic HTTPS Rewrites offers a one-click solution that can safely eliminate mixed content by rewriting insecure URLs dynamically from known (secure) hosts. Automatic HTTPS Rewrites is available on all CloudFlare plans. Sign up for a Cloudflare plan today and eliminate mixed content today.

Contact Our Team
Singapore callers: +65 3158 3954
International callers: +1 (650) 319 8930

Transitioning to fully secure content

For most visitors the green padlock next to your URL makes them feel safe when entering a password or credit card number on your website. The green padlock has become the symbol for a secure website where all traffic to and from the domain is encrypted and protected from prying eyes.

Cloudflare has aimed at putting an end to insecure, unencrypted Internet traffic. Universal SSL has made switching from http:// to https:// as easy as clicking a button, Origin CA has driven the price of a SSL certificate for your server down to zero, and Dedicated Certificates offers turnkey SSL certificate management eliminating most of the maintenance tasks associated with traditional SSL certificates.

In 1997, Internet Explorer 3.0.2 warned users of sites with mixed content with this dialog box.

Today, Google Chrome shows a circled i on any https:// that has insecure content.

Despite these various options, there are still a number of websites that have found enabling SSL difficult and error prone. Identifying and correcting resources that are hard-coded to be loaded over HTTP can be challenging in legacy applications and online publishing platforms. Reliance on 3rd party content and functionality outside domain control can make corrective actions almost impossible.

When websites send both secure (https://) and nonsecure (http://) content from the same page they end up with a problem known as mixed content. When you serve mixed content, the unencrypted resources eliminate the green padlock next to your URL while exposing that data to eavesdropping and tampering vulnerabilities.

Finding and fixing mixed content can be a very challenging and time consuming task. Cloudflare eliminates the manual process of updating resource paths by offering a one click solution; Automatic HTTPS Rewrites.

Automatic HTTPS Rewrites safely eliminates mixed content issues by rewriting insecure URLs dynamically from known secure hosts to their secure counterpart. Cloudflare maintains a list of known secure hosts that includes the Electronic Frontier Foundation excellent HTTPS Everywhere extension and Google Chrome HSTS preload list.

By enforcing a secure connection, Automatic HTTPS Rewrites enables you to take advantage of the latest security standards and web optimization features like HTTP/2 and Server Push which is only available over HTTPS. Automatic HTTPS Rewrites eliminates errors in your visitor’s browser when loading content by loading secured content over unsecured, allowing them to see a green padlock next to your URL on their browser.

Is your website having issues with mixed content? Automatic HTTPS Rewrites is available on all CloudFlare plans, including Free. Sign up for a Cloudflare plan today and eliminate mixed content today.

Passive v. Active Mixed Content

Mixed content comes in two different categories: passive content and active content. The two different categories define the threat level each type of mixed content can pose if content is rewritten as part of a man-in-the-middle attack.

Passive mixed content refers to unencrypted content that cannot interact with other elements on the page (parts of the Document Object Model) thus posing a lower security threat compared to active content in a man-in-the-middle attack scenario. Tampering with passive content such as text, image, video and audio is limited to the content itself while the rest of the encrypted content on the page remains protected.

Active mixed content refers to unencrypted content that can has the ability to interact with other elements on the page compromising the security of the entire page. Active content includes elements such as iframes, scripts, stylesheets, Flash resources, and other elements that have attributes (e.g. src, href, url, and data) that can make HTTP requests to remote domains.

The risks associated with mixed content vary based on the type of mixed content you have and the data your web page may expose. While passive mixed content poses a lower threat than active mixed content, attackers are constantly finding new and creative ways to exploit vulnerable pages. Whether your mixed content is passive or active, Automatic HTTPS Rewrites offers a one click solution that safely eliminates mixed content issues by rewriting insecure URLs dynamically from known (secure) hosts.

Learn more about Automatic HTTPS Rewrites on our blog.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.
MOST POPULAR

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Trusted By

Learn more about Railgun in our Hostnet case study