In SSL how to gracefully handle IMG src of https URL that redirects to http

Question

I have a PHP site (which uses HTTPS) that pulls blog content HTML from an API.

Sometimes the blog content contains img tags. In rare cases, the src of an img tag might point to an https URL that is a redirect to an http URL.

So when a visitor to my site loads the page, the browser (e.g. Firefox) says in the URL bar:

Connection is Not Secure

Parts of this page are not secure (such as images).

What can I do to ensure that my visitors always experience full https?

Is there some way that my PHP or javascript could preemptively detect that an img src would redirect to a http URL and simply omit that tag (prevent it from loading)?

Answer 1

Obviously it is not an acceptable solution to accept HTTP connections in your clients' HTML as it might be a security problem. Therefore I can think of two good possibilities to solve this problem:

1) You parse the HTML code from the API, follow all image links using CURL, check if the URL is redirected (and cache the result because you most probably do not want to do this expensive action on every request)

Most probably you will ask now how to do this. Well: Either you turn off curl redirection and check if something else than status 200 is returned and strip the image in case if not. The correct settings should be:

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);

Or you check the final redirection URL with:

$redirectURL = curl_getinfo($ch,CURLINFO_EFFECTIVE_URL );

This question should be very helpful for you: How can I find where I will be redirected using cURL?

2) You parse the HTML code from the API, fetch the remote images via CURL, test and save them locally and replace the src URLs to the ones of your server

Both methods could be a nice way to handle your problem depending on how often to fetch those remote contents and how many resources you have available. In most cases most probably method 1) is more recommendable.