Mixed Content
Description
The target application was found to request resources over insecure transport protocols (HTTP). This is usually due to HTML
elements which load resources using the http://
scheme instead of https://
. It should be noted that most modern browsers
block these requests automatically so there is limited risk.
Some parts of the application may not behave correctly since these files are not being properly loaded.
Remediation
Ensure all HTML elements which load resources from a URL (JavaScript, stylesheets, images, video and other media) are set to
use the https://
scheme instead of http://
. Alternatively, developers may use the //
scheme, which will only load resources
over the same protocol that the originating page was loaded.
A browser visiting the website https://example.com
with the HTML loading a file using
<script src="//example.com/cdn/bundle.js"></script>
, would ensure the example.com/cdn/bundle.js
file was loaded over
HTTPS.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
319.1 | true | 319 | Passive | Info |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support