I have added an image of the WordPress site where I am facing these two issues which are becoming a hurdle in my site to optimize for best practices. I tried to find its solution but got no understanding of how to do that in my website of WordPress.
Uses deprecated APIs 1 warning found
Browser errors were logged to the console
Screenshot from Chrome inbuilt dev tool
I have found the solution by removing this policy from htaccess file. It's an HTTP header. You can check your website HTTP headers.
Header set Expect-CT enforce,max-age=2592000,report-uri="https://example.com/"
here is some help on this issue I believe.
https://developer.chrome.com/blog/immutable-document-domain/
Related
I am facing an issue regarding setting of security headers in a Node JS application.
In the project I am working upon there is a need of setting some response headers like content-security-policy, noSniff, xss-filter and hsts headers. I am setting these headers with the help of helmet package. The problem I am facing is that when theses headers are not setting up all the time on all the pages instead these are only setting up on very first time when we are going to a page and the second time we come back to the same page then these headers will not be seen on that page.
One thing I noticed in this that only the static pages have this behaviour but the pages that are being served up through backend data excludes this behaviour.
I surfed a lot on google but found nothing related to it. Please respond on this as soon as possible.
Express version: 4.17.1
Helmet Version: 4.6.0
We have a website set up using the non WWW version of the website. At the moment when you access the WWW version of the domain it seems to redirect to www.ourdomain.com/index.php?p=index.html.
We are seeing the homepage template but with errors. (e.g. Images aren't loading). Does anyone know what would be the best way to fix what is happening or the potential causes.
You can use your browsers web inspector tools to see why assets like images aren't loading. Quite possibly it's because they are trying to load from the wrong domain.
If you didn't set the site URL in /craft/config/general.php then the URL set in your admin site settings will be used, so check that is correct first.
Removing the index.php?… part is covered in detail in Craft's Documentation so not worth repeating here.
I've inherited an ASP.NET web site that has an SSL certificate bought via GoDaddy.
The problem is that the certificate seems to be invalid because of some "mixed content/resources" (I think that's how its called) coming from http sites.
Chrome is showing the red cross over the lock next to https, meaning it's unsecured. The popups says the following:
Click in "What do these mean?" goes here which says:
The [crossed-lock] icon appears when
Google Chrome detects high-risk mixed
content, such as JavaScript, on the
page or when the site presents an
invalid certificate.
The certificate is correct and valid because I tried creating a blank "Hi world" .aspx page and it's showing the green lock with no problems.
Reading a little bit, I found that I should only include images and javascript coming from https sites. The only thing it had coming from http was the addthis widget, but they support https, so I changed to https, but it's still saying that is unsecured.
I've searched for anything else coming from http in the source, but didn't find anything.
Is there some way (site, chrome extension, firefox extension, whatever) that will show exactly which are the resources that are "unsecured"?
I've never dealt with SSL/HTTPS certificates, but I need to fix this issue asap.
Check your site in http://www.whynopadlock.com, which will give you a list of url which is not consider as secure by your browser.
Check the chrome console
You will get it like this,
The page at https://xys displayed insecure content from http://asdasda.png.
Make it http site to https then it will work.
I've found the problem using the Chrome Developer Tools. It was a js that's embedding a flash from an 3rd party site which it's using http.
Are you on Windows? Download and run Fiddler while browsing the site, and watch for HTTP connections.
Mixed content means contents of a web page are mixed with HTTP and HTTPS links.
These links include your JS, CSS, Image, Video, Audio, Iframes etc.
If your website is enabled for HTTPS (SSL certificate has installed), make sure you serve only HTTPS contents throughout your web page.
I am getting the dreaded security warning when running my GWT web app under IE8:
"this webpage contains content that will not be delivered using a secure HTTPS"
It of course works fine with Firefox and Chrome.
I have taken a look at the requests with firebug and I see no HTTP requests.
I have also used both Fiddler and HttpWatch with IE and I still see no HTTP requests.
Can anyone provide me with some clues as to what else might trigger this warning?
There are certain snippets of Javascript that can also cause a problem. Please see:
http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/
Also, have a look through the pile of comments on:
http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/
Some of the commenters have found and fixed other causes of the warning too.
I've added a SSL certificate to an existing site, and now in IE I get a mixed content warning. Problem is, I don't know what's the non-secure content IE is warning me about. It's a simple html page, with a few Flash, a few images, a loaded CSS and JS.
How can I find out what's the non-secured content..?
Edit:
I found the culprit: it's the JS AC_RunActiveContent.js used to display Flash movie. So anyone has an idea on how to prevent SSL mixed content when using AC_RunActiveContent.js.?
This means that something is requesting content using the http protocol specifically, or you have an absolute path to an image or other content that begins with http instead of https.
A few tips: Use relative paths everywhere you can. If you must use an absolute path, and it's to a server you own, use https. If you're loading stuff from off your site, you're probably stuck with the mixed-content warning.
This also goes for your scripts, check out the JS, and the CSS template and make sure they're not the guilty parties - if they are change them to use relative paths, or to request items via https instead of http (assuming you're positive that the server they're referencing supports https, if it doesn't you're stuck).
There are a few other details, this might be helpful.
Ok, so here is the solution for my particular problem. It was the codebase value in my code that needed to be https as well (I didn't think it would trigger the warning, as my Flash were displaying correctly, oh well)...
AC_FL_RunContent( 'codebase','https://download.macromedia.com/pub/shoc...
Link to Adobe info on this: Security Information error in Internet Explorer
I use the Firefox console -- it reports the http resources it blocks from fetching on a mixed content page.
Search your source for http: only. Another great tool to help you out is Fiddler with which you can see what's getting downloaded upon requesting your page.