Utilize CSP to handle mixed content
Mixed content
Mixed content happens when you have resources loaded via HTTP in a site that is loaded via HTTPS. It makes the browsers report your site as insecure and depending on the type of the content, may not load the offending resources.
The good news is that CSP can help to handle this.
CSP (Content Security Policy) is a security-related header that allows fine control what connection can be made by the users browsing your site.
Besides this, it can also auto-rewrite HTTP requests to secure ones.
For this, simply send this header:
Content-Security-Policy: upgrade-insecure-requests
Reporting
Part of CSP is a reporting mechanism that helps you indentify the insecure resources so that you can fix them. To enable reporting of mixed content, use this header:
Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint
You need to specify a reporting endpoint. What to use for that?
You can set up a custom one, but then you need to anticipate a plethora of connections. Alternatively, you can use the report-uri service which will collect and organize the reports for you.