How to Fix the Error: This Page Is Not Secure Because of Mixed Content

Insecure resources warning in Chrome

You have just switched your site from HTTP to HTTPS but your browser is displaying mixed content warnings.

Mixed Content: The page at 'https://yoursite.com/article1' was loaded over HTTPS, but requested an insecure image 'http://example.com/insecure.png'. This content should also be served over HTTPS.

I’ll tell you how to handle this situation.

It’s not a problem if your site has 10 pages or so, on which your can quickly find and replace HTTP resources with their HTTPS equivalents. It can be images, video, audio, flash objects or other resources. In our case, we should look for an image tag (IMG), something like this:

<img src=”http://example.com/insecure.png” alt=”” />

It is served through insecure protocol and causes warnings. To fix that we should simply replace the url with its secure alternative https://example.com/insecure.png or //example.com/insecure.png. The second one is totally valid and supports both HTTP and HTTPS sites, so I like it the most.
The resulting IMG tag should look like this:
<img src=”//example.com/insecure.png” alt=”” />

That is easy, isn’t it?

However, if your site contains thousands of pages, you probably need a tool that will find all insecure resources and save your time. Let me introduce my project, called Insecure Resource Finder (insecRes) which can come in handy.

I created insecRes because I needed to check my own site komelin.com after switching to HTTPS and insecRes helped me a lot. This console tool scanned all my site pages and found about 70 insecure resources, which I couldn't find myself.

Okay, time to show you how to use insecRes.

Let’s install it. Since it is written in Go language you need to install the Go tools first. Choose the method that suits your operating system best.

After that, run the following command to install insecRes itself:

go get github.com/kkomelin/insecres

Now run the tool:

$GOPATH/bin/insecres https://example.com

Where https://example.com is HTTPS url of your site.

Please note, the operation can take some time depending on the number of pages on your site.

You may also output results to a file in the CSV format if necessary:

$GOPATH/bin/insecres -f="/home/user/report.csv" https://example.com

insecRes could work significantly faster but I had to put some random delay (500-1000 milliseconds) between requests to avoid banning the IP by a server.

Please give insecRes a try and let me know what you think. Also, if you are a Go developer, please review the project code. I believe we can make the tool better together.