Load external scripts over https

This isn’t strictly a CF question, so it won’t hurt my feelings if it gets booted. It’s just that the experts here seem so very smart (not to mention attractive) you may know the answer off the top of your head …
My site is set to redirect http requests to https, and this seems to work fine for incoming requests. But Mozilla Observatory complains that some external scripts are loaded over http. Is there a way to force external scripts to be loaded over https?

Cloudflare has two settings in SSL/TLS -> Edge Certificates that help with this: Always Use HTTPS, and Automatic HTTPS Rewrites. See if turning them both on helps.

Thanks sdayman, both have long been turned on (I checked just now to make sure).

Then a Content Security Policy that includes “upgrade insecure requests” will fix that. You can use Cloudflare Workers, or a site/host-based solution you’ll have find if my last link doesn’t help.

https://scotthelme.co.uk/security-headers-cloudflare-worker/

Thanks sdayman. Much appreciated. I’ll give CSP a try.

This topic was automatically closed after 30 days. New replies are no longer allowed.