HTTPS broken up site? - magento

When we access our home page with https url site broken up. I think because the css, js load from http & it not secure.
But what should i do to run my site in both http & https.
Why this happen ? why this not solved in default magento?
for example https://demo.magentocommerce.com/
Any help appreciated

You need to set https for unsecure base url also in order to get the css load for https. I know you want to load site in both cases i.e. http and https, but using both URLs will cause your website's SEO to decrease.
Reason for this is:
http and https will be indexed in search engine as two different URLs.
Decision is up to you, whether you want to use http or https.

Related

Is removing scheme from URL good practice?

I've got a site where I recently started using SSL and now in console I'm getting a couple of errors;
Mixed Content: The page at 'https://www.XXXXX.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Droid+Serif'. This request has been blocked; the content must be served over HTTPS.
I've read that I could specify the stylesheet as: //fonts.googleapis.com/css?family=Droid+Serif and omit the http:// or https:// and let the browser determine which scheme/protocol to use, but I'm surprised I've not seen this before and wondering if this is good practice?
For example, in my Wordpress theme development where I am frequently using wp_enqueue_style should I now use this format by default, assuming where you're calling from is able to serve both?
I'm considering just redirecting all traffic to the https version of the site, but still interested to know if this URL scheme is good practice or not?

Static Website Redirect HTTP to HTTPS with GCP Load Balancer with

I need to redirect my website from http to https, I have my static website in Google Cloud Storage Bucket pointed to Load Balance with http & https enabled.
Example:
http://ex.com = > https://ex.com
http://www.ex.com = > https://www.ex.com
The https://ex.com, https://www.ex.com both work just fine, however, I just need the http redirect so that I can reach Secure Service
Since I am having a static website I hope I can only handle this in Load Balance, Can some one help me with this.
At this time, this is not possible via a Google HTTP Load Balancer feature. There is a feature request here.
You could add JavaScript to your pages. However, this will not guarantee HTTPS redirection. Usually, just adding this to the home page and a few key pages will get most of your traffic to HTTPS.
<script type="text/javascript">
if (location.protocol != 'https:')
{
location.href = 'https:' + window.location.href.substring(window.location.protocol.length);
}
</script>
A little late, but Google added a fix for the issue.
https://issuetracker.google.com/issues/35904733
I know it's an old one.
But now you can do this directly in the load balancer. Follow this tutorial. In particular, you want to go to the "Redirecting traffic to your HTTPS load balancer" section.

Issue with HTTP and HTTPS - Need to get AJAX working

I have a site where the client recently added an SSL certificate, since he has done this it has broke some stuff on the site, noticeably a slider on the homepage of the site.
The only thing I can see in the console is a 'Mixed Content: The page at'https://example.com' was loaded over HTTPS, but requested and insecure script 'http://ajax.googleapis.com...' This request has been blocked; the content must be served over HTTPS.
I have no idea what this means - other than the obvious that I need to get these called over HTTPS.
I have never come across this before. I tried doing a force rewrite in .htaccess which didnt work and I cant seem to understand any stuff online.
Help please!
Thanks

How to redirect amazon images from http to https using htaccess

My client is using amazon to store images for his magento store.
The problem is that in checkout onepage browser says that ssl is not secure becouse some resources are loaded via http.
How i can load all the images that contains this url: http://[username].s3.amazonaws.com/...etc via https, like: https://[username].s3.amazonaws.com/...etc
Here is what i tried and i think i'm close but i'm redirect in browser
RewriteCond %{HTTP_HOST} !^https://absolutetoner.s3.amazonaws.com$ [NC]
RewriteRule ^(.*)$ https://absolutetoner.s3.amazonaws.com/$1 [L,R=301]
It should be simple but i'm stuck.
Thanks so much.
No, it's not simple, and, in fact, it's not possible. You need to fix the links in the web page to use https.
It's not possible for one of several reasons. Which reason applies will depend on why you think this would work.
If you expect these rules to rewrite the html of the pages, that's not what they do. They rewrite incoming requests, which isn't helpful, because...
The web server never sees these requests. Putting these rules in an .htaccess file on the web server serves no purpose, because these requests will never reach the web server. Their hostname points them to S3, and that's where the requests from the browser will go. The web server will never see these requests, so it can't redirect them...
Even if the requests could reach the web server, that doesn't help with the security warning, because the web page still has links to insecure content. Even if a redirect from http to https did happen, information is being sent in the clear during the initial insecure request, so an https redirection does not address the underlying problem...
Or, if you're putting the .htaccess file on S3 itself, then of course it will have no effect, because S3 does not support .htaccess.
In this day and age, there's really no good reason not to use SSL by default for everything... but the alternative to that, if for some reason you don't want to or "can't," is to use // in the links instead of http://. This causes the links to be fetched with the same scheme (http or https) as the one used to load the main page. Example:
<img src="//example.s3.amazonaws.com/img.jpg">

how to embed a youku video on an HTTPS site?

I have a site with HTTPS configured.
My client wants me to embed a youku video. At first the browser blocked the iframe since it had HTTP protocol on it.
I changed it to HTTPS and now youku does not work. It seems youku does not support HTTPS.
is there any way around this?
Perhaps there is a service other than youku that does support HTTPS and is still suitable for that region?
hi,we had supported(sorry for later)
for example:
1
<iframe height=498 width=510 src='https://player.youku.com/embed/XMTg3Nzg4MzY4NA==' frameborder=0 'allowfullscreen'></iframe>
2
https://player.youku.com/player.php/sid/XMTg3Nzg4MzY4NA==/v.swf
3:
<embed src='https://player.youku.com/player.php/sid/XMTg3Nzg4MzY4NA==/v.swf allowFullScreen='true' quality='high' width='480' height='400' align='middle' allowScriptAccess='always' type='application/x-shockwave-flash'></embed>
Youku player serves some resources (like preview images or alternative sources for video) under http, not https - and this might be the main culprit of "partially insecure content" issue in browsers. This problem is caused by Youku player itself, it's quite possible to change the code loaded from their servers.
However, the problem can be solved in most simple and convenient way by rewriting insecure http requests on given page with secure https requests - it possible to achieve this by including CSP meta tag in page header:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
The "Content-Security-Policy" response header allows to control resources the user agent is allowed to load on given page (more information here).
What "upgrade-insecure-requests" directive does: "Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten."
The original solution was found in this post.

Resources