Finding All Insecure Content on a Secure Page

Question

What\'s the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I

Answer 1

If you own the website, you should look into the Content-Security-Policy header options. These can include forcing HTTPS on resources, or automatically attempting to redirect HTTP resources to HTTPS, among other things.

Notably, there is also a report-uri directive for the closely-related Content-Security-Policy-Report-Only header that reports any infractions of your CSP to a uri of your choosing. This means that any browser with support¹ for report-uri will send you reports of pages on your site with problematic HTTPS on an ongoing basis. Mozilla Developer Network has a PHP example of handling the reports.

---

¹ Note that if you can reasonably expect any browser with full CSP(RO) support to hit the pages in question, it doesn't matter that some browsers do not have support for it.