This article describes an issue that occurs when visitors to your web site request a secure web page that contains insecure elements.
When visitors to your web site request a page using a secure https:// connection, a broken padlock icon may appear in the web browser's location bar. Additionally, they may receive a warning message:
This problem occurs if a web page contains hyperlinks to insecure elements. For example, consider a web page that contains the following HTML snippet:
<a href="http://www.example.com/images/picture.jpg">View my picture</a>
In this HTML snippet, the hyperlink references a non-secure http:// resource (a .jpg file). If a user requests this page using an https:// connection, the page itself is encrypted, but the hyperlinked image file is not. As a result, the page contains secure and insecure content, and the browser displays a warning message to the user.
To resolve this problem, add the following lines to the .htaccess file that you use on your website:
<IfModule mod_headers.c> Header always set Content-Security-Policy "upgrade-insecure-requests;" </IfModule>
Alternatively, you can use the following meta tag in your site's content pages:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">