6

I'm thinking about my website architecture that's using https.. I now have a CDN server hosting images , css and more static files.

The website itself is using HTTPS for securing sensitive costumer data. Will using the static images , loaded by for example 'http://cdn.example.com/images/test.jpg' on a website 'https://www.example.com' popup a "Loading insecure data" message?

So loading external NOT SECURED data on a SECURED website. Will this be causing a popup warning "Loading insecure data, continue?"?

Thx!

Sam Vloeberghs
  • 1,082
  • 5
  • 18
  • 29

4 Answers4

19

Yes.

If a page is loaded over HTTPS then every resource it uses should also be loaded over HTTPS.

Otherwise a man-in-the-middle could replace images with misleading ones (or ones that exploit buffer overflow issues in browsers to execute code) and scripts with ones that do different things (such as leak data to the third party).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

If you really want to load http content in https, you can follow this method using a backend handler in charge of downloading and exposing the required content with self forged links including a hash. The security issue is then fixed and you get the content accessible through https.

Dealing with HTTP content in HTTPS pages

Community
  • 1
  • 1
Amaury Brisou
  • 344
  • 1
  • 4
  • 10
1

You have to load every resource over https to get rid of that warning. You can either move the resources to your server that supports encryption, or link to an external resource over https.

Mike_K
  • 9,010
  • 5
  • 20
  • 27
0

I did this recently.

I have a raspberry pi loaded with nginx, and PHP.

I us Https to handle requests from the web to the PHP code which in turn sends http requests to my local network to assemble the page. Works well.

Milk Round
  • 97
  • 7