Checking for insecure references

Insecure content is one of those things that can be tricky to find, even though it’s easy to workaround.  Let’s start by being clear about what we’re talking about.

Insecure content is when your website itself is using HTTPS (the address starts with https://) but some of the content links (eg. images, javascript, stylsheets, etc.) are referenced using HTTP (the “src” or “href” attribute starts with http://).

This will usually result in the browser not displaying the “padlock” icon in the address bar or even display a “mixed content” or “insecure content” warning.  For example, this is what Chrome displays for an image that isn’t secure…

Not a very good look for your site!  However, I’ve written before about how to easily fix insecure references, either using a CSP or Cloudflare.

This post is about how you go about finding and fixing those references, so that you’re not relying on the browser or a third party service in order to fix these issues – it would be much better if your website was using 100% secure internal references, and as high a percentage of secure external references as possible as well.

A tool that I like to use is JitBit’s SSL Check.  This will crawl your website (up to 400 pages) and return each page that includes one of these insecure references.  You can then go to that page, view the page source, and search for “http:”.  Now you’ve found them, it’s up to you to make the necessary changes.