Mixed Content Detection

What is Mixed Content?

Most websites now load over HTTPS but there can often be tens, or even hundreds, of assets loaded on the page like images, scripts, styles, iframe and more. Mixed content refers to a website loading over HTTPS, but some of the assets on the page loading over HTTP.

This mixture of HTTPS and HTTP on the same page can result in a security warning from the browser, or even the browser refusing to load the content, which can result in a bad experience for your visitors.

How do we fix it?

The correct solution to Mixed Content is to identify all Mixed Content on your site and then change the source of page so the asset is loaded securely using HTTPS instead of HTTP.

With Content Security Policy, you can request that the browser automatically makes these upgrades for you as a temporary solution, and sends a report to notify you so you can deploy a permanent fix.

What do I need to do?

Automatically fixing Mixed Content with a Content Security Policy is easy and requires only a single directive is added to your CSP.

If you'd like to receive reports about the Mixed Content on your site, this can be easily configured using a Content Security Policy Report Only header too!

By fixing your mixed content problems you ensure that your content is visible in new browsers. You also help protect users from dangerous content that isn't blocked by older browsers.

- Google, web.dev

How we can help

Whether you have an existing CSP that you'd like to add Mixed Content protection to, or if you need to start out creating a first CSP for your site, we have tools to help make the journey easier.

By monitoring your CSP Reports, you can ensure that all existing Mixed Content on your site has been fixed, and that any new Mixed Content introduced to your site is detected quickly.

The CSP Wizard

We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.

The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.

With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.

Documentation

The CSP Builder

All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.

You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.

CSP Builder

Content Security Policy

Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.

Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.

Read More