This article is a part of our Web Security Knowledge Base (back to index)

Why HTTPS Content Available via HTTP can be dangerous

It means that the content which is accessible through HTTPS URLs can also be accessed through insecure HTTP URLs. It can result in the appearance of mixed content pages, that is HTTPS page that includes some insecure HTTP resources.

The resources can be unable to alter any elements of the webpage, in which case we call them "passive mixed content" (images for example) or capable of doing so, in which case they are called "active mixed content" (Javascript files for example). Web browsers will usually prevent mixed content from loading and display mixed content warnings or mixed content errors in the console.

HTTP connections are considered insecure. Using those may lead to many attacks like cookie hijacking or man in the middle and then performing further attacks such as stealing user session or modifying the content shared between the service and the user.

How to fix HTTPS Content Available via HTTP

Make sure you enable HTTPS on your server.

Make sure to redirect all requests from HTTP to HTTPS site wide.

Disable option of enforcing HTTP by web browser.

Ensure that the web server, application server, load balancer etc. are configured to serve the secure content only via HTTPS.

Consider implementing HTTP Strict Transport Security.

How does ScanRepeat report HTTPS Content Available via HTTP

ScanRepeat checks whether HTTPS content is also available through HTTP. It reports every occurrence of such a vulnerability providing both HTTPS and HTTP URLs.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free