'Not fully secure'


#1

Hello! I’m a newbie to Cloudflare, and although I manage my own website www.violin-tuition.co.uk my IT skills are really really limited - I basically fiddle around until the thing works. So I joined Cloudflare to sort out my SSL, and my site appears to have taken it. I’ve made sure to tick the relevant HTTPS boxes in Crypto, and all my pages have the https prefix. But the Chrome info icon says my site is ‘not fully secure’, followed by something about images and attackers tricking visitors.

My site is very simple and doesn’t process any data except the contact form, which is encrypted. The only images which are not secured within the site are the links to my publications, which redirect to the respective publishers’ websites. Two of these sites are not https. Are these links (also reiterated in the text) the reason Google isn’t recognising my site’s security?

I’m giving myself a pat on the back for having actually come this far, but I’d like to nail that little green padlock! I’d be grateful for any advice.


#2

Hi @hot.rosin, welcome to Cloudflare. The site is great, you just need some fine-tuning to address 6 mixed content issues that are visible using Google Chrome developer tools console view. The “mixed-content” warning shows if not all the content is secure, your website is being loaded over HTTPS, but some of the resources are being loaded over HTTP. To fix this you will need to edit your source code and change all resources to load over a relative path, or directly over HTTPS. Please comment back and let us know how that works.


#3

Thanks @cloonan. I found out the same thing using an independent check tool. It’ll be interesting to see how this works out; my site was built (by me) using a kind of by-numbers web package for dummies. The difficulty (as I’m now finding, a few years on) is that it’s actually a niche and complex program, and most of the code is not accessible to me. The offending images were generically renamed by the program itself (I can see they’re all png), and I suspect this is why they’re not loading correctly as https. I’ll have a delve and let you know how I get on. Thanks again!


#4

Three steps to full HTTPS (when you can’t fix Mixed Content errors within your site):

  1. Cloudflare Crypto: Always Use HTTPS
  2. Cloudflare Crypto: Automatic HTTPS Rewrites
  3. .htaccess: Header always set Content-Security-Policy: upgrade-insecure-requests

#5

Hi @sdayman, thanks for the suggestions. I’ve already done 1) and 2). I don’t understand 3) at all, but would it be easier to do than rummaging through my site trying to identify automated filenames? A catch-all fix-it would be most welcome - my fear is that the images my software has renamed may not be ‘images’ as such but panels, text boxes, graphics, layers etc that go to make up the template. Which would be a nightmare.


#6

If your website has a .htaccess file in its root directory, add the following line:
Header always set Content-Security-Policy: upgrade-insecure-requests

If your website does not have a .htaccess file, maybe it’s not running Apache. On the off chance it is running Apache, but doesn’t have a .htaccess file, make one with just that one line. Don’t forget the leading dot in the .htaccess filename.


#7

I don’t have the iT skills to do this I’m afraid. When I say limited, I mean really limited. I have no knowledge of coding at all, and don’t understand any of the necessary terminology. I bought this software because it did all that stuff for me. I’ve only had to look outside of that since Google started making changes my package didn’t support.


#8

For $5/month, you can use Cloudflare Workers to add secure headers to your website. Go to the Cloudflare Dashboard for Workers and Launch the Editor. The left column probably has demo text which you’ll replace with what I have below. Also in the left column, you’ll need to click Route and add: www.violin-tuition.co.uk/*
Then go back to the Script and paste in the below script (courtesy of Scott Helme).

let securityHeaders = {
	"Content-Security-Policy" : "upgrade-insecure-requests",
	"Strict-Transport-Security" : "max-age=1000",
	"X-Xss-Protection" : "1; mode=block",
	"X-Frame-Options" : "DENY",
	"X-Content-Type-Options" : "nosniff",
	"Referrer-Policy" : "strict-origin-when-cross-origin",
}

let sanitiseHeaders = {
	"Server" : "My New Server Header!!!",
}

let removeHeaders = [
	"Public-Key-Pins",
	"X-Powered-By",
	"X-AspNet-Version",
]

addEventListener('fetch', event => {
	event.respondWith(addHeaders(event.request))
})

async function addHeaders(req) {
	let response = await fetch(req)
	let newHdrs = new Headers(response.headers)

	if (newHdrs.has("Content-Type") && !newHdrs.get("Content-Type").includes("text/html")) {
        return new Response(response.body , {
            status: response.status,
            statusText: response.statusText,
            headers: newHdrs
        })
	}

	Object.keys(securityHeaders).map(function(name, index) {
		newHdrs.set(name, securityHeaders[name]);
	})

	Object.keys(sanitiseHeaders).map(function(name, index) {
		newHdrs.set(name, sanitiseHeaders[name]);
	})

	removeHeaders.forEach(function(name){
		newHdrs.delete(name)
	})

	return new Response(response.body , {
		status: response.status,
		statusText: response.statusText,
		headers: newHdrs
	})
}

#9

Thanks @sdayman, but for less than that I could have bought a complete SSL through my web hosting service. That’s why I’m here! :slight_smile:

Meanwhile I’ve just tried to go into my website to locate the problem images, and I can’t log on. I keep getting error messages, which has never happened before. My site is showing up as ftp://ftp.violin-tuition.co.uk/ in my maintenance section, whereas I’m pretty sure it’s been http in the past. Has signing up to Cloudflare interfered with my software’s access? confused


#10

Wait, hold on - I think I’ve got this. :slight_smile:


#11

If you ever get into the innards of your website, you’ve got some options.

For the FTP, in your Cloudflare DNS, make sure that ftp-violin-tuition entry is set to :grey: (or maybe you’ve just figured it out)


#12

Yes! Just figured it out! Imma goin’ in…


#13

This is still bugging me. Does your site builder software let you set the URL for your website? It might be set to http://YOURSITE. Hopefully it’ll let you set it to https://

If that doesn’t work, I’ll message you for more info.


#14

Still bugging me too. I went in, got as far into the html as I could and found that what I would guess (as you say) may be part of the problem - the inclusion of http:// in the script - is not editable. I’ve tried a few things on a suck-it-and-see basis, including removing the image files which were flagged as problematic, and renaming most of the other images just in case. I got a bit sidetracked after that, but your suggestion is very helpful. I’ll try that next and get back to you. Thanks. :slight_smile:


#15

Hello

If you are still having issues I can give some advice.
I have perused your site and no pages are giving you the green lock which is your issue.
The reason for this is a few things. Firstly, the links to other sites such as (http://www.jonathanrathbone.co.uk/rathbone/Welcome.html ) which is on the Bio page needs to be changed to https. This applies to all other 3 party website links. Secondly there are images that are still using http such as http://www.violin-tuition.co.uk/wpimages/wp75c55886_06.png

There are many other images which are insecure using http so you will need to go through the html code and make these changes. After that you should have no issues.

I have pasted an image of the source code where you can clearly see the other insecure images that use http.

Hoep that helps you.


#16

Hi @Ben, thanks for your reply. It’s going to take me days rather than hours to go through this, so I won’t be able to respond immediately. In the meantime though, as you’ll see from my replies above, most of my site has been written using a coding format I can’t access. So I can only add html at certain designated points in the script. As to the images, I am in the process of trying to rename them. But about the third party links, this is a big problem. They are all relevant to my work but most of them have not encrypted their sites. I can’t remove these references or I’d essentially have no credentials left, but equally I can’t realistically approach these organisations/individuals and ask them to sort out their SSL so that my website will function. Most businesses link to third parties; this must happen all the time. Surely there’s a workaround? If not, it kind of indicates no one’s taking any of this security stuff very seriously. I thought that an SSL certificate would make my site secure, end of. But it’s clear now that I’m going to have to spend a lot of time rewriting the site to meet these requirements, and with no guarantee that I’ll ever be able to cover all my bases. :’(


#17

Sites don’t get “Not Secure” because a link to another site is HTTP. That can’t be helped…so her site will be secure once she fixes the Mixed Content. But Jonathan’s site isn’t secure.

@hot.rosin, I did PM you if you’d still like to iron out the Mixed Content issue. It’s probably morning for you right now, but I’m going to bed.


#18

Hi @sdayman, thanks for your PM and the offer of a closer look. Because I’m inexperienced and because my site isn’t standard or transparent, it takes me a long time to work stuff through - and I often discover or create other problems in the process which then need sorting. This means I need large chunks of time to work on issues. I would like to try a number of these suggestions, but it may take me a little while. Can I get back to you guys once I’ve had a chance to explore?

P.S. Thanks for the clarification re. third party sites - that’s a weight off my mind!


#19

Yes you are right @sdayman . That is what happens workin at 3am. Anyway the whole issue is the non-secure images which I am sure you already know.


#20

A great plugin that solved my problems of insecure links was the Velvet Blues Update URLs, with it it is possible to change all the links http to https at once, but only if it is using wordpress