Utilize CSP to handle mixed content

For more tips like this, sign up to the weekly newsletter!

Utilize CSP to handle mixed content

Mixed content

Mixed content happens when you have resources loaded via HTTP in a site that is loaded via HTTPS. It makes the browsers report your site as insecure and depending on the type of the content, may not load the offending resources.

The good news is that CSP can help to handle this.

CSP (Content Security Policy) is a security-related header that allows fine control what connection can be made by the users browsing your site.

Besides this, it can also auto-rewrite HTTP requests to secure ones.

For this, simply send this header:

Content-Security-Policy: upgrade-insecure-requests

Reporting

Part of CSP is a reporting mechanism that helps you indentify the insecure resources so that you can fix them. To enable reporting of mixed content, use this header:

Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint

You need to specify a reporting endpoint. What to use for that?

You can set up a custom one, but then you need to anticipate a plethora of connections. Alternatively, you can use the report-uri service which will collect and organize the reports for you.

Try it

https://github.com/sashee/csp_mixed_content_sample

Learn more:

Promises and Async/Await in JavaScript book