
Identify HTTPS Mixed Content Issues In Real-Time - stilliard
https://httpschecker.net/
======
jwcrux
This doesn't really explain _what_ it's checking, but if you're looking for an
actual checker for your HTTPS configuration, Qualys SSLLabs maintains an open
source client [0] that could easily be scripted to do this exact thing.

[0] - [https://github.com/ssllabs/ssllabs-
scan/](https://github.com/ssllabs/ssllabs-scan/)

~~~
weddpros
You might also like [https://sslping.com](https://sslping.com) : it monitors
your servers for free (sends emails if bad cert/ciphers/protocols).

Shameless plug, it's my side project, started because monitoring beats point
in time checks.

------
p4bl0
The title is misleading. This is not an article explaining how to get HTTPS
security right, it is the landing page for a paid service.

------
teach
I've read 3 or 4 pages on the site, and it's still not clear to me what this
tool purports to do.

It identifies mixed-content "issues".

What does that mean? How is it different from the sort of information I get
from Qualys SSLLabs' server test?

~~~
vtlynch
Mixed Content is when your site is serving some of the page's content over
HTTP, and some over HTTPS.

This is a problem because if _any_ piece of content is served over HTTP,
browsers will count the connection as non-secure and will not display the
"green padlock".

This is a pretty common problem when it comes to HTTPS deployment. Normally
seen with sites that were deployed/designed without any consideration for
HTTPS.

Hardcoded URLs, third-party services that don't offer HTTPS, absolute protocol
links, and big clunky infrastructure are the most common causes.

Qualy's SSL Labs does not address this. It looks at the site's SSL
configuration, not the way content is served. SSL Labs helps you know if there
are any issues with your certificate (old signature algorithm, common name
mismatch, self-signed, certificate chain issues, etc) and crypto settings
(ciphers, protocol version, etc).

~~~
teach
I know what mixed content is.

I guess because all my websites are static, I never needed anything fancier
than:

    
    
        grep -e "http:" *.html

------
newsat13
Would it not be better if I can run this test locally instead of a service?

~~~
tomschlick
The value is that it runs constantly in the background to pick up issues
without humans having to run the tool every few months.

~~~
carwyn
That's called a cron job.

------
finnn
Doesn't a CSP catch and report mixed content issues?

~~~
seanhunter
A csp can say that you only want to load things over https and Strict-
transport security (HSTS) also helps here (see
[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
). I've found [http://securityheaders.io](http://securityheaders.io) quite
helpful in securing my servers alongside ssl labs server test (as others have
mentioned) to check that your actual server and SSL certs are configured well.

~~~
finnn
According [0] CSP can do it and offers reporting, unlike HSTS.

[0]: [https://scotthelme.co.uk/fixing-mixed-content-with-
csp/](https://scotthelme.co.uk/fixing-mixed-content-with-csp/)

