Videos and Webinars

Why am I Getting an Error That Says "page contains both secure and nonsecure items" On my Store?

Shift4Shop ExternalSite Design
Why am I Getting an Error That Says "page contains both secure and nonsecure items" On my Store?
Shift4Shop ExternalSite Design
Search

"Page contains both secure and nonsecure items" Error

This error is given by most web browsers when you are entering a site in secure HTTPS mode, but the page you are viewing contains one or more elements such as images, JavaScript files and/or style sheets that are being pulled from a non-secure location.

For example, let's say you've added an image to your site's header or footer. However, you mistakenly reference the image with its full path like this.

<img src="HTTP://www.yourdomain.com/assets/images/image-name.jpg" />

When you access your site's secure HTTPS mode and this image is referenced, your browser may give you a security warning since the image is unsecured.

To fix this, reference the image in a relative path like this:

<img src="assets/images/image-name.jpg" />

Be aware, however, that there may be more than one image path that needs to be fixed in this fashion.

The easiest way to troubleshoot this is to do the following:

  1. Go to your store in secure mode to receive the warning but click YES (as in "Yes, you want to see non-secure items").

2. In your browser, right-click your mouse and select Source or View Source.
3. A tab will open up with the source html code of your page. Perform a CTRL-F search for: "http://."
4. Any time you see "src='http://[path]," it will indicate a file path that should be changed to a relative path.

Of course, this fix only really applies to internal images on your site. Be aware that the warning could also be in reference to other types of files like javascript, css file(s) or even externally hosted images.

For off-site images and scripts, you can change them to a protocol relative link by removing the protocol from the address. So for example, <script src=http://www.google.com/script> is changed to <script src=//www.google.com/script>, which will work the same way as an internal relative link. The script or image will still load, and it will load with the appropriate protocol (http or https).

Additionally, if you have embedded elements like videos on your store layout, you will need to make changes to the element's embed code so that the warning doesn't come up.

It may also help to use this web resource to check your site for unsecure elements as they come up - http://www.whynopadlock.com/