Changed CSS URL to "https"; page source shows HTTP and getting mixed content error


#1

I have the following error on my error console:

Mixed Content: The page at ‘https://www.flexibleassembly.com/’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://www.flexibleassembly.com/code/css/flexible2015.css’. This request has been blocked; the content must be served over HTTPS.

on my homepage file, the URL is set to “https” but when I view the page source, it says “http”.

I’ve tried purging and nothing worked. Is there anything else I can do?


#2

In Cloudflare Crypto, you probably already have enabled “Always Use HTTPS.” Try enabling “Automatic HTTPS Rewrites” as well.

If that doesn’t fix it, add the following to the .htaccess file in your website directory. If you don’t have an .htaccess file, see if you can add one. (This assumes your web server is running Apache)
Header always set Content-Security-Policy: upgrade-insecure-requests


#3

I have both of those enabled in Crypto.

I wish I could remember the article, but it read that the HTTPS rewrites wouldn’t overwrite .css or .js files.

I did rename the code on my file to https, when I view the page source - it shows http.

We use NetSuite as our platform, I don’t think we have .htaccess - I tried looking for that earlier so I could to the HTTPS rewrite from there.


#4

I hope you’re using Cloudflare’s Full SSL setting. It just makes life easier when rewriting for HTTPS.

You’re just going to have to track down those HTTP references and change them to HTTPS.

Looking back, I see you said you tried purging. What did you purge? Was it from the Cloudflare Cache settings page for Purge Everything?


#5

I get a 502 error when I go “full”.

I did change the files in the css to https, it’s just that somehow the site pulls http when I pasted https


#6

for purging, I first specified the home page and then I said purge everything


#7

Ok, Flexible is still workable, but gets tricky if the web server tries to pretend it’s HTTPS when it really isn’t.

Purge home page and Purge Everything would be two separate purges. While you work on this, it would be quicker just to go to Cloudflare’s “Overview” tab for your site and use the Quick Action to turn on Development Mode. This will temporarily stop caching while you update your website.

If all else fails, you may have to bite the bullet and pay $5/month to turn on Cloudflare Workers for your site and use it to set the HTTP headers to force HTTPS:
https://scotthelme.co.uk/security-headers-cloudflare-worker/


#8

thanks! I did go into development mode, but I did go through and edit everything that began with “//” to “https://”

I also removed the .css file as well and pasted the CSS onto the homepage. Least it removed the errors.


#9

The homepage is all better now. Hopefully that’s everything.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.