Mixed Content

  • CWE 319
  • OWASP 2013-A6
  • OWASP 2017-A3

Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection.

Requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to man-in-the-middle attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties. Using these resources, an attacker can often take complete control over the page, not just the compromised resource.

  • Use protocol relative URLs. For example;

      <script src="//code.jquery.com/jquery-2.2.3.min.js"></script>
  • Use the upgrade-insecure-requests CSP directive to protect your visitors from insecure content.