This article describes an issue that occurs when visitors to your web site request a secure web page that contains insecure elements.
When visitors to your web site request a page using a secure https:// connection, a broken padlock icon may appear in the web browser's location bar. Additionally, they may receive a warning message:
This problem occurs if a web page contains hyperlinks to insecure elements. For example, consider a web page that contains the following HTML snippet:
<a href="http://www.example.com/images/picture.jpg">View my picture</a>
In this HTML snippet, the hyperlink references a non-secure http:// resource (a .jpg file). If a user requests this page using an https:// connection, the page itself is encrypted, but the hyperlinked image file is not. As a result, the page contains secure and insecure content, and the browser displays a warning message to the user.
Adding the following lines of code via .htaccess and the meta tag will prevent insecure elements from appearing on the page.
// header Content-Security-Policy "upgrade-insecure-requests; // meta tag <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
For information about how to set up this configuration, please see this article.