I have a few http links (internal absolute) on my magento https page. Is it ok to have them for my SSL certificate to be displayed with correct padlock?
Having links to non-http pages is fine. LOADING things from non-https urls is a big nono.
At most the user will get a warning about transitioning from a secure to a non-secure page, but it won't affect the padlock on the page.
HTTP links won't break the padlock. Loading assets (images, scripts, stylesheets) into the page via an unencrypted URL will, though. As long as you aren't actually loading unencrypted content into the page, the page won't throw any warnings about insecure content.
Related
I have just migrated our website to a new server, upon doing this the site is missing background and a bunch of elements. I really know very little about PHP but from my newb diagnose it seems to me it could be in the configuration of that.
The website is - https://amandabernstein.com/
Anything to point me in the direction of resolving this or even diagnosing would be amazing. Server was Cpanel now Plesk.
Thanks in advance.
The problem is that you are trying to load static resources over HTTP when the site is viewed over HTTPS - the browser is triggering a mixed content warning and blocking the resource. Your site is not currently HTTPS-ready.
This isn't specifically about the "migration", but because you are redirecting to HTTPS.
When you move to HTTPS everything else also has to be HTTPS as well - HTTPS everywhere - not just the main target URL you see in the browser's address bar.
You probably have http:// hardcoded in your resource URLs. This needs to be changed to https://.
On modern browsers, you can set the following HTTP response header on the initial response to instruct the browser to automatically upgrade the HTTP request to HTTPS which will avoid this browser warning.
Content-Security-Policy: upgrade-insecure-requests;
For example, you can set this in .htaccess with the following directive:
Header always set Content-Security-Policy "upgrade-insecure-requests;"
But note that this will not upgrade any outbound anchors or help old browsers that don't support this header.
I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website.
Can anyone help me on this ?
Not sure this is right for Stack Overflow. Then again it covers so many topics that it doesn't fit nicely in any other Stack Exchange site either. So anyway will attempt to answer.
Redirects.
What do you mean "I can redirect my site to https"? You should redirect your site to https now you've gone through the hassle of setting this up so are you doing it? Or are you able to access both http and https? If so find out how to force https even if the user sets up http.
This is set up with a redirect rule on your web server. Not sure whether you have direct access to your config (e.g. .htaccess file if using Apache) or require your host provider to set this up for you.
Google search
Regarding Google Search, once you have the redirect set up, it will take some time for Google to recognise this and update the links in their search index to show the https version of the pages.
Saying that there are ways you can tell Google about this to hurry up the process:
Do you force a redirect to https? If not Google will decide which site to show (http or https) based on a number of factors.
Do you have a site map and have you updated those links to https?
Do you have a rel="canonical" setting in the HTML of any of your pages and is it set to the https version? This tells Google which is the real version of the page if, for example, you allow both http and https versions of the page (not recommended).
Have you registered the https version of your site with Google Search Console? If so are there any errors in there? You can also kick off a re-index request in here.
Have you set all internal links to be https or, better yet, relative links.
Can you update any external links to be https instead of http.
HTTP Strict Transport Security (HSTS)
This is an advanced topic so really wouldn't recommend it until you understand it more. Basically it's a HTTP Header you send back with your webpage over https to tell web browsers "hey I'm an https-only site. From now on, automatically translate any http requests to https automatically before you even send them to me".
It is a good security addition on top of redirects but crucially it does not replace the need for redirects. Redirects need to be in place first to send it to https, at which point your web server can send the HSTS HTTP Header (and which the browser will cache so it knows to change to HTTPS next time).
To set it up you send a HTTP Header like this (but only over https requests).
Strict-Transport-Security "max-age=16070400"
This can be setup in your webserver, or in your php files or any other way you can send HTTP Headers.
Be aware that this we'll prevent your site being available over http, so if you decide to turn off https for whatever reason, then you've basically blocked you're site for up to the max-age time for any browsers that have cached that setting.
For more information on HSTS see here:
301 Redirect and HSTS in .htaccess
But I really don't think that's what you are looking for here. It tells web browsers (like Google Chrome) to force https and is nothing to do with search engines (like Google Search) as, at present, they ignore this Header.
When I go to my Login page, my website cannot load captcha form on that page, because it's using HTTPS.
What changes I should add to my website to allow the captcha to load on my site when it use HTTPS ?
how to make it to work with HTTPS.
I'm using 3rd party captcha service from google. If I remove SSL, then with HTTP my website can load captcha. Also on other pages, google map cannot load too.
Typically https pages won't load http pages, because that could be a security risk. Fortunately, most 3rd party services allow both http and https access. Usually it's as simple as replacing the http in the code they provide with https. Obviously this depends on exactly which tools you are using, and some services from smaller companies aren't available over https at all.
If i visit the home page on my site (which uses code igniter) my homepage is using http,
Code igniter sets a cookie containing all the session info.
If I then click login, which is using https I get unsecure content warnings, and the only thing I can think of it being is the cookies as If I restart the browser then go straight to https://mysite.com/login then I get no unsecure content warnings.
How can I fix this (Note that the homepage cannot be https).
This error comes from content being served over http to a page that's supposed to be https. For example, an <img>, <link>, or <script>.
The thing with Codeigniter is that it's very likely you're using base_url() or site_url() for full absolute URLs to the embedded content, probably using http.
Here are some things you can do:
Use relative URL's, i.e. <img src="/path/to/images.jpg">
Don't specify a protocol. Example: //example.com/path/to/image.jpg More on this technique here: http://paulirish.com/2010/the-protocol-relative-url/
In the __construct() of the controller that you need to use https (or in the method that needs it), load a different config file that redefines your base url to use https. Note that it will be too late for any scripts/libraries that use the base url for html output before this config file is loaded.
If you load the page in IE, you should get a very nagging error message that will give you a list of all the content that was delivered insecurely to help you troubleshoot (other browsers should have this feature as well, but in IE it's especially prominent).
EDIT: Saw your note that there is nothing on the page being requested via http, only https, and the note about what happens when no cookies are present. My mistake, I just woke up - I should have read the question more thoroughly :p
You are loading unsecure content (usually images/iframes) on your secure (https) login page.
What this means is that you are referencing a link to a page that is not secure (is not https). This will cause the error, and prompt users whether or not to load such content. It's a problem with the links to external content, not your cookies.
Edit: To (temporarily) fix the issue, find any links/references to external content and disable it for the time being, then visit your page and the prompt/error should go away.
To fix the issue, you'll have to download the content or use a file on your site to securely download the content for that page to use.
Suddenly, my images are not showing up on my site when accessing https pages. No change in my code. My host did have to recompile their ftp service with SSL support after my request (so I could ftpes my site). Can't thing of anything else that would affect my SSL cert. Same thing happens on FF and IE and on different computers.
If I go to your website ( https://www.scfootball.org/ ), I don't see the images, as you said : I get a 403 (Forbidden) error for each one of those -- I can see this using the "Net" tab of the Firefox extension Firebug, for instance.
If I try to see an image directly, without going trough the site (for instance : https://www.scfootball.org/widgets/GulloParkHeader.png ), then, I can see the image.
If you try, make sure you copy-paste the URL to a new tab/window, and not just click on it
Which means there is some kind of trouble between the website and the access to the images ; not on the images themselves.
If I disable the referer in firefox (the web developper toolbar extension allows that easily) and refresh your website's webpage, the images appear.
If I re-enable the referer, and refresh again, then the images don't appear anymore.
Which means there is something, related to the referer, that prevents the images from being sent, and returns a 403 error instead.
Just a wild guess : maybe there's a .htaccess in your widgets directory (or somewhere else) that prevents images from being served, if the referer doesn't correspond to a specific domain ?
Considering the images are displayed on the site when I access it without HTTPS (i.e. with an URL such as http://www.scfootball.org/index2.php ), maybe there is a "protection" in place so your images are not displayed if the Referer is not that non-https website... And that "protection" has not been updated when you switched to HTTPS ?
(I've seen that kind of "protection" used to prevent hot-linking of images, for instance)
This is an old post but, it could be hotlink protection too.
If you turn it on an allowed alias for a http:// domain you gotta for its https:// too, otherwise itll deny your images from being called to client.
I used DJango API to test locally, everything is normal, after deploying SSL, the interface access is normal, but the picture shows 404
Yeah, "not showing up" is a little vague. If the HTML is served by HTTPS and the images are still being served by HTTP, there's a little security leak inherent in the page, which your browser may deal with in one of several, largely ineffectual, ways.