Reputation: 77379
Find out what resources are not going over HTTPS
I have an ASP.NET site which should transport completely over HTTPS. However, in Google Chrome I get a warning that the page includes resources which are not secure. How can I find out which those resources are and why they wouldn't be going over HTTPS?
Upvotes: 93
Views: 87108
Answers (13)
Reputation: 48736
Usually this occurs because you are loading Images, javascript include files or external CSS files without using https. You can use a program such as FireBug: http://getfirebug.com/
FireBug will tell you how your elements are loading and which aren't going through the ssl layer. If you don't have firefox, then I am pretty sure Chrome also has something similar to FireBug built in.
Here's how to use firebug:
- Open firebug
- Click on the Console Tab
- Reload the page
- Any https errors will show in the console and tell you which resource is not working.
Hope this helps
Upvotes: 45
Reputation: 2067
If you want to crawl your own site from your own desktop for a list of all reasources loaded (not loaded by javascript though, which is worth bearing in mind), if using windows you can use Xenu's link sleuth. Export the TSV file and then right click and open with excel, then sort by URL, you can then find those pesky http resources for all pages on the site!
Upvotes: 0
Reputation: 558
I just discovered same behaviour in chrome (firefox showed a green lock), even though all resources were loaded via https.
The reason in my case was that the server supported broken (google poodle) SSLv3.
Setting ssl_protocols to exclude SSLv2 in nginx.conf like so
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
fixed the problem for me.
I consider it unfortunate that chrome doesn't make this reason more transparent. "this page loads some resources insecurely" is very misleading if not wrong.
Upvotes: 0
Reputation: 4496
We've scratched our own itch and wrote a tool that crawls your web-site and tells you what pages have non-SSL resources on them. You just need to enter the root URL of your web site – no need to check every page manually.
http://www.jitbit.com/sslcheck/
Upvotes: 6
Reputation: 1816
I dont know if any one will be checking this answer Or you might have found the solution already, but anyway, my answer might help other people suffering from similar issue
This is the link that I used to check the insecure content /file which was being loaded to my page.
Hope it helps. :)
Upvotes: 0
Reputation: 21
To add to this I right-clicked on the column headings in the Network tab view and selected Protocol.
If you then click on the Protocol heading, the contents of the report will be grouped by HTTPS, etc
Upvotes: 2
Reputation: 5008
In Google Chrome: You can view the offending resource in the Console tab of the Inspect Element window.
It will be listed as:
The page at https://example.com/page displayed insecure content from http://example.com/resource
Of course you might have to reload the page with the Inspect Element window already open.
Upvotes: 8
Reputation: 21
I noticed that when I had this problem that a toolbar(uTorrent) was causing the error. I removed the toolbar and the error went away. Not sure why a toolbar would cause an error on my site, but no more problems here with the SSL certificate.
Upvotes: 2
Reputation: 184
Chrome has their own developer tool.
you can right click a page, inspect it.. and then click the "network" tab and reload the page. you'll see the workflow.
Upvotes: 0
Reputation: 401
I have nothing to do with the people providing this online script, but it's easy and can be bookmarked in any browser.. works well and quickly to solve the problem.. http://www.whynopadlock.com
Upvotes: 40
Reputation: 4165
In Chrome, you can find out which resources were loaded via http versus https by doing the following:
1) In Wrench menu, choose Tools > Developer tools
2) Click on "Resources" toolbar icon
3) Expand the Frames folder to see the different pages. Expand the page whose resources you want to see. The individual Resources for the page are then listed, broken down by Images, Scripts, and Stylesheets
4) To see the URL that was used to load that resource, just hover the mouse over the resource name and the URL will appear, either with http or https. You can also click on an image name to see the image on the right side, along with its URL
Upvotes: 1
Reputation: 22176
I've just had this problem in Chrome also. I checked in the Network tab but all resources were loaded over https.
Solution: close Chrome and re-open.
Chrome must cache its secure-content detection so that even when you fix the problems the insecure content message won't disappear.
Upvotes: 88
Reputation: 2391
One of the easiest ways to do it is to right-click the page in Firefox and select View Page Info. Then go to the Media tab and find anything that is loading from http instead of https.
Upvotes: 6
Related Questions
- Easy way to determine what content is not delivered using a secure HTTPS connection?
- How to find what sources are not using ssl?
- See what content is not sent over HTTPS
- SSL not fully secured (How to find non https links)?
- Find non-ssl items on an https page
- Tools for finding Non SSL resources in web page (firebug like tool)
- Any tool available to detect what's not HTTPS on an encrypted page?
- Analyze page to see which resource is not transfered in https
- How can I determine on the server-side when an incoming request is HTTPS?
- Determining which content was delivered securely and which wasn't