Finding All Insecure Content on a Secure Page

Question

What's the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I can't find an easy way to find what exact URLs cause the violation.

The easiest way I've found so far is to use Firefox, but even then it's still not very convenient. First, I can right-click, select View Page Info, click the Media tab, and scroll through a list of URLs. However, this seems to only list image files, not CSS or JS includes that can also cause the error. For those, I have to use the Firebug extension, select the Net tab, and manually hover my mouse over each item to see the entire URL. Unfortunately, this can take a while if you have dozens of media files. Is there a better way?

You might look into the [TamperData plugin](https://addons.mozilla.org/en-US/firefox/addon/tamper-data/) for Firefox. — Pointy, Jan 18 '11 at 20:11
I know this is an old post but maybe this will help someone, there's a Desktop app you can use to scan and report on mixed content issues on an entire site: https://www.ecommerce.co.uk/httpschecker. You can also request scan results through email too :) — stilliard, Apr 03 '16 at 10:14

score 99 · Accepted Answer · answered Nov 18 '11 at 19:45

99

Note, in recent versions of Chrome, these errors will be displayed in the Javascript Console.

e.g.

The page at https://mysecuresite.com displayed insecure content from http://unsecuresite.com/some.jpg.

answered Nov 18 '11 at 19:45

Cerin

60,957
96
316
522

7

On Firefox, HTTP requests sent from a HTTPS connection can be seen in red on the Web Console (`Tools`>`Web Developer`>`Web Console` or `Ctrl`+`Shift`+`K`). – AxeEffect Dec 07 '12 at 15:51
2

If using Chrome or Firefox consoles you still don't see the HTTP insecure request you will have to use Fiddler or WhyNoPadlock.com as suggested below. – AxeEffect Dec 07 '12 at 15:59
Watch out for browser plugins causing the problem – Matt Watson May 24 '14 at 12:41
I found Chrome *much* more reliable than anything else for this. It was the only way I could track down a resource loaded quite far down a chain of loaded JS resources. Firefox and two online checkers (SSLcheck and Why No Padlock) couldn't identify it, although Firefox did complain it was there and block that particular content, it just wasn't reporting it in the console. – Jun 04 '16 at 15:55
Even firefox has it under the console. The point is, it's available in browser's console. – pankaj Aug 26 '19 at 11:24

score 32 · Answer 2 · answered Mar 20 '11 at 14:04

32

Try: www.WhyNoPadlock.com It will give you a report of all insecure content on any https web page.

answered Mar 20 '11 at 14:04

Rob Mangiafico

337
3
2

5

Doesn't help for content that requires authentication – Obie Mar 21 '12 at 21:28
2

I like @Rob's answer better. The site he shared tells you exactly which items are insecure. My issue was that Google fonts was being requested without https and the site saved me a lot of time going through my files so check for https in all my includes. – pmalbu Aug 20 '14 at 18:01
The tool said that no insecure content found while a tool shared by another user below (SslCheck) says there are six pages with insecure links (which are real culprit). – Alam Oct 04 '17 at 10:35

Alex from Jitbit · Answer 3 · 2014-08-21T13:26:19.083

12

You can use SslCheck

It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.

(disclaimer: I'm one of the developers)

edited Aug 21 '14 at 13:26

answered Aug 20 '14 at 22:12

Alex from Jitbit

53,710
19
160
149

1

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. – Raedwald Aug 20 '14 at 22:44
4

@Raedwald It's an online tool. How do you include the essential parts of that here? – Mike Aug 20 '14 at 23:12
2

Nice tool, but it's not checking `
` elements. In my case, a site was implementing their search with `
` which triggered the Chrome warning.
– Abe Voelker Oct 24 '14 at 14:58
1

@AbeVoelker Thanks, I'll contact the team to update it. – Alex from Jitbit Oct 24 '14 at 15:08
@jitbit The comment at the bottom of the page that - This page accepts hash-parameters like this: https://www.jitbit.com/sslcheck/#url=https://www.google.com/, feel free to use. Seems that functionality is broken now – pal4life Oct 12 '16 at 21:42
1

Thank you for sharing this great tool, I found it via Google but came here to see whether it works properly or not. – Alam Oct 04 '17 at 10:36
I've tried using this tool. It's a great idea but I noticed it only scanned 8 pages of one of my sites that has around 95 URLs – user1702965 Jan 06 '18 at 17:37

score 10 · Answer 4 · answered Jan 28 '17 at 16:26

10

Recently had the same issue, using chrome developer tool it was easier to find.. In developer tool go to Security tab, you can find all non-https request

answered Jan 28 '17 at 16:26

vinayak hegde

2,117
26
26

score 5 · Answer 5 · answered Jan 18 '11 at 20:10

5

Use Fiddler.

Secure requests won't show up at all (except as HTTPS CONNECTs, which can be hidden), so everything you'll see is bad.

answered Jan 18 '11 at 20:10

SLaks

868,454
176
1,908
1,964

Alas, I'm on Linux and it says it requires Windows. Does it work at all under Mono? – Cerin Jan 18 '11 at 20:14
1

I would guess not, but I don't know. – SLaks Jan 18 '11 at 20:16
Not necessarily @Obie , I am using it over Ubuntu using [Mono](https://www.mono-project.com/), an open source implementation of Microsoft's .NET that is really easy to install and use. – Juan Antonio Nov 20 '18 at 10:05

score 5 · Answer 6 · answered Feb 22 '12 at 10:43

I had this problem which occurred in a javascript:

/* for Internet Explorer */
/*@cc_on @*/
/*@if (@_win32)
    document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
(.....)

The src=javascript:void(0) should be avoided.

You can not find this problem using Fiddler or Chrome.

score 3 · Answer 7 · answered Mar 14 '19 at 10:44

3

You can check https://www.missingpadlock.com/

Is a online tool for crawl your site for find insecure pages.

answered Mar 14 '19 at 10:44

David Motilla

775
1
4
5

Michael · Answer 8 · 2017-12-05T22:17:43.930

If you own the website, you should look into the Content-Security-Policy header options. These can include forcing HTTPS on resources, or automatically attempting to redirect HTTP resources to HTTPS, among other things.

Notably, there is also a report-uri directive for the closely-related Content-Security-Policy-Report-Only header that reports any infractions of your CSP to a uri of your choosing. This means that any browser with support¹ for report-uri will send you reports of pages on your site with problematic HTTPS on an ongoing basis. Mozilla Developer Network has a PHP example of handling the reports.

¹ Note that if you can reasonably expect any browser with full CSP(RO) support to hit the pages in question, it doesn't matter that some browsers do not have support for it.

This is something it's good to be doing on an ongoing basis anyway. If you can't handle the reporting end conveniently yourself, a service like https://report-uri.com/ can be used. — dartacus, May 15 '18 at 13:34

score 1 · Answer 9 · answered Sep 15 '17 at 09:22

I just want to leave a note about what happened to me when this problem arose.

Suddenly my domain showed 'Mixed: Insecure Items'. I couldn't find the cause at all. The console was just showing an image was being requested: http://www.example.com/, Which I could not find any reference to anywhere.

I searched and searched and eventually found that in the Security Tab of Chrome, Where it was displaying 'Insecure Content' it said 'Show in Network Tab'. When I clicked that, It was showing me the bad URL, again, with no information apart from the Initiatior column. It was showing the image footer_bg.jpg.

Had someone injected code into my footer background image I wondered? Turns out no, I had inadvertently moved that image yesterday and forgot about it. So the page was requesting an image that wasn't there, returning an error. I fixed the link to the image and page loads securely again.

Just for anyone else that will possibly have this problem in the future.

score 1 · Answer 10 · answered Jul 18 '19 at 19:23

If you want a one-shot, reasonably-comprehensive, recursive scan of an entire website, you can use Bramus's mixed-content-scan from the CLI. It won't check links in supplemental JS/CSS, but it's great for finding that one post that the intern from 3 years ago put up with a dangerous non-SSL script.

For an ongoing solution, see my other answer.

score 0 · Answer 11 · answered Feb 23 '12 at 14:44

0

Use Burp Suite, set up the scope as your website, browse to the secure page and check which request are made to HTTP version of your website.

answered Feb 23 '12 at 14:44

Pedro Laguna

465
2
5
20

Finding All Insecure Content on a Secure Page

11 Answers11

Linked