Finding All Insecure Content on a Secure Page

Question

What\'s the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I

Answer 1

You can use SslCheck

It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.

(disclaimer: I'm one of the developers)

Answer 2

I had this problem which occurred in a javascript:

/* for Internet Explorer */
/*@cc_on @*/
/*@if (@_win32)
    document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
(.....)

The src=javascript:void(0) should be avoided.

You can not find this problem using Fiddler or Chrome.

Answer 3

Use Fiddler.

Secure requests won't show up at all (except as HTTPS CONNECTs, which can be hidden), so everything you'll see is bad.

Answer 4

If you want a one-shot, reasonably-comprehensive, recursive scan of an entire website, you can use Bramus's mixed-content-scan from the CLI. It won't check links in supplemental JS/CSS, but it's great for finding that one post that the intern from 3 years ago put up with a dangerous non-SSL script.

For an ongoing solution, see my other answer.

Answer 5

Try: www.WhyNoPadlock.com It will give you a report of all insecure content on any https web page.