Secure Pages Include Mixed Content (Including Scripts)

Reference

Plugin ID: 10040 CWE: 311 WASC: 4 Unknown Passive HTTP Data Stream Protection

Resource

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md

Remediation

To remediate this vulnerability, all mixed content on the page should be replaced with content accessed via HTTPS. This can be done by updating the URLs of the resources to use HTTPS instead of HTTP.

About

The vulnerability "Secure Pages Include Mixed Content (Including Scripts)" occurs when a secure page includes content that is accessed via HTTP instead of HTTPS. This can happen when resources such as images, scripts, or stylesheets are loaded using insecure URLs.

Risks

Including mixed content on a secure page can pose several risks:

Security vulnerabilities: Loading content via HTTP instead of HTTPS can expose the user to security vulnerabilities, such as man-in-the-middle attacks or data interception.
Browser warnings: Browsers may display warnings to users when a secure page includes mixed content. This can lead to a poor user experience and may discourage users from interacting with the page.
Loss of trust: Including mixed content on a secure page can erode user trust in the website or application. Users may perceive the presence of mixed content as a sign of poor security practices.

To mitigate these risks, it is important to ensure that all content on a secure page is accessed via HTTPS.