Implementing TLS for your websites, apps, services, and API is easier than ever with tools like Let’s Encrypt now in wide use. There’s no reason not to join the party!
Finding and Fixing Mixed Content Errors
When a link is added with a FULL PATH, make sure it starts with HTTPS://.
Use the Content-Security-Policy-Report-Only header to monitor mixed content errors on your site.
Use the upgrade-insecure-requests CSP directive to protect your visitors from insecure content.
Checking Your Resources
Double check your site for insecure "mixed content" warnings. Here is an example of mixed content
Here's a simple tool that will tell you about any insecure items on your SSL page! whynopadlock.com
Chrome Developer Tools
- Open Developer Tools: View > Developer > Developer Tools
- Go to the "Security" tab
- If there are any errors or warning make sure the "Console" is open by clicking the errors or warnings in the top right. This will give you detail about which resources have issues
Firefox Developer Tools
- Open Developer Toolbar: Tools > Web Developer > Developer Toolbar
- Expand the toolbar by clicking any error
- Choose the "Console" tab to see details of insecure content
- Self-Signed Certificate: a self-signed certificate is an SSL certificate that is not signed by a trusted, central authority in the SSL/TLS certificate ecosystem.
- Nginx and Apache: two of the more popular web server/proxies that you can run a web app over.
Added Security Note
Sometimes you may still receive a warning when all resources are being loaded via https. One possible culprit is a server that supports outdated security protocols. whynopadlock.com will also give you warnings about out dated protocols.
How to get SSL/TLS certificates for Nginx on Ubuntu with Let’s Encrypt, by Mitchell Anicas
How to get SSL/TLS certificates for Apache on Ubuntu with Let’s Encrypt, by Erika Heidi
You need to sign up for Treehouse in order to download course files.Sign up