Automatic HTTPS Rewrites

Solving the mixed content problem

Automatic HTTPS rewrite

Is your website having issues with mixed content? Automatic HTTPS Rewrites offers a one-click solution that can safely eliminate mixed content by rewriting insecure URLs dynamically from known (secure) hosts. Automatic HTTPS Rewrites is available on all CloudFlare plans. Sign up for a Cloudflare plan today and eliminate mixed content today.

Contact Our Team
UK callers: +44 (0)20 3514 6970
Singapore callers: +65 3158 3954
International callers: +1 (650) 319 8930

Transitioning to fully secure content

For most visitors the green padlock next to your URL makes them feel safe when entering a password or credit card number on your website. The green padlock has become the symbol for a secure website where all traffic to and from the domain is encrypted and protected from prying eyes.

Cloudflare has aimed at putting an end to insecure, unencrypted Internet traffic. Universal SSL has made switching from http:// to https:// as easy as clicking a button, Origin CA has driven the price of a SSL certificate for your server down to zero, and Dedicated Certificates offers turnkey SSL certificate management eliminating most of the maintenance tasks associated with traditional SSL certificates.

In 1997, Internet Explorer 3.0.2 warned users of sites with mixed content with this dialog box.

Today, Google Chrome shows a circled i on any https:// that has insecure content.

Despite these various options, there are still a number of websites that have found enabling SSL difficult and error prone. Identifying and correcting resources that are hard-coded to be loaded over HTTP can be challenging in legacy applications and online publishing platforms. Reliance on 3rd party content and functionality outside domain control can make corrective actions almost impossible.

When websites send both secure (https://) and nonsecure (http://) content from the same page they end up with a problem known as mixed content. When you serve mixed content, the unencrypted resources eliminate the green padlock next to your URL while exposing that data to eavesdropping and tampering vulnerabilities.

Finding and fixing mixed content can be a very challenging and time consuming task. Cloudflare eliminates the manual process of updating resource paths by offering a one click solution; Automatic HTTPS Rewrites.

Automatic HTTPS Rewrites safely eliminates mixed content issues by rewriting insecure URLs dynamically from known secure hosts to their secure counterpart. Cloudflare maintains a list of known secure hosts that includes the Electronic Frontier Foundation excellent HTTPS Everywhere extension and Google Chrome HSTS preload list.

By enforcing a secure connection, Automatic HTTPS Rewrites enables you to take advantage of the latest security standards and web optimization features like HTTP/2 and Server Push which is only available over HTTPS. Automatic HTTPS Rewrites eliminates errors in your visitor’s browser when loading content by loading secured content over unsecured, allowing them to see a green padlock next to your URL on their browser.

Is your website having issues with mixed content? Automatic HTTPS Rewrites is available on all CloudFlare plans, including Free. Sign up for a Cloudflare plan today and eliminate mixed content today.

Passive v. Active Mixed Content

Mixed content comes in two different categories: passive content and active content. The two different categories define the threat level each type of mixed content can pose if content is rewritten as part of a man-in-the-middle attack.

Passive mixed content refers to unencrypted content that cannot interact with other elements on the page (parts of the Document Object Model) thus posing a lower security threat compared to active content in a man-in-the-middle attack scenario. Tampering with passive content such as text, image, video and audio is limited to the content itself while the rest of the encrypted content on the page remains protected.

Active mixed content refers to unencrypted content that can has the ability to interact with other elements on the page compromising the security of the entire page. Active content includes elements such as iframes, scripts, stylesheets, Flash resources, and other elements that have attributes (e.g. src, href, url, and data) that can make HTTP requests to remote domains.

The risks associated with mixed content vary based on the type of mixed content you have and the data your web page may expose. While passive mixed content poses a lower threat than active mixed content, attackers are constantly finding new and creative ways to exploit vulnerable pages. Whether your mixed content is passive or active, Automatic HTTPS Rewrites offers a one click solution that safely eliminates mixed content issues by rewriting insecure URLs dynamically from known (secure) hosts.

Learn more about Automatic HTTPS Rewrites on our blog.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Unmetered Mitigation of DDoS
  • Global CDN
  • Shared SSL certificate
  • Access to account Audit Logs
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes everything in Free, and:
  • Web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • Access to account Audit Logs
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

The Business Plan includes everything in Pro, and:
  • Web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Bypass Cache on Cookie
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized email support
  • Access to account Audit Logs
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

The Enterprise Plan everything in Business, and:
  • 24/7/365 enterprise-grade phone, email, and chat support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Enterprise-grade DDoS protection with network prioritization
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to Raw Logs
  • Access to account Audit Logs
  • Dedicated solution and customer success engineers
  • Access to China CDN data centers (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Trusted By

Learn more about Railgun in our Hostnet case study