Mixed Secure and Insecure Content

This topic applies to

Applies to

Site Management Tools

When you serve your site over a secure, encrypted connection, give special consideration to any HTML links you include in your content. Specifically, be aware of the consequences of mixing the secure content of your site with content from a location that is not secure. For example, linking to an image, script, or style sheet via an HTTP based URL instead of a secure HTTPS based URL. This is referred to as mixed content, because the main HTML of your page was loaded using a secure, HTTPS connection, but additional content on the page is referenced by an HTTP call which includes no security.

Linking to only secure content helps ensure the integrity of the content on your site. This also provides a more secure shopping experience for your visitors.

Linking to insecure content presents the opportunity for malicious activity such as sniffing and man-in-the-middle attacks. For mixed passive content, such as image, audio, or other media source, a malicious party can alter the image or media and change what is displayed to the visitor. Mixed passive content does not allow for alteration of any other part of the page.

Mixed active content, such as script or iFrame source or hypertext links pose an even greater danger because it allows for even more destructive attacks such as installation of malware or theft of user personal data.

As a security measure, most web browsers check for mixed content and display a warning message to the user that the page contains content that is not secure. In some instances, this content does not display at all.

When your site is secure and you use a link to other content, SMT checks to see if that content is also secure. If it is not secure, then SMT warns you that your HTML includes a link to content that is not secure. Best practice is to link only to secure content.

Related Topics