SSL Issue 'Not Fully Secure'

PaulPrescott · March 24, 2020, 5:18pm

I get the https but it says it is not fully secured.

I’ve waited 36 hours…with no further changes.

sdayman · March 24, 2020, 7:07pm

https://community.cloudflare.com/search?q=not%20fully%20secure

PaulPrescott · March 24, 2020, 8:50pm

It seems to be an issue with images… the path in wordpress is http
I don’t know how to change this in wordpress.
When you select an image it defaults to http…i guess because that is all that is on my server.

i’m unable to create a path for images with https

I turned automatic http rewrites on and off…no difference

sdayman · March 24, 2020, 8:59pm

My silver bullet is HTTP headers for CSP. This plugin will do it:

With this header:

Content-Security-Policy: upgrade-insecure-requests

PaulPrescott · March 24, 2020, 11:07pm

That seemed to work all but one page which is odd

I tried to delete it from the menu and re-add it but for some reasons the check boxes don’t work in wordpress…another oddity.

sandro · March 24, 2020, 11:46pm

SSL wise the biggest issue (assuming your server IP address ends in 98) appears to be that your server is not configured at all for SSL.

There is no valid certificate for your domain.
Not even the invalid certificate returns your site’s content but only the default page
Your server’s SSL configuration overall is outdated and uses TLS 1.0, which has been deprecated in most browsers and is insecure.

You should contact your host and have all of that addressed.

PaulPrescott · March 25, 2020, 12:02am

Sorry I have little knowledge of any of this…
I was under the impression that I didn’t need SSL for my domain because cloudflare did that.
But from what I read my domain needs a valid certificate. I can buy that for $40.
I will send the hosting company Site5 what you have written here

Thank you!

sandro · March 25, 2020, 12:04am

Cloudflare cant do that, as Cloudflare can only protect the first leg. The second leg is up to your own server and is currently still insecure.

As for buying a certificate, that is certainly an option but there are plenty of free options out there. Lets Encrypt is one and Cloudflare offers free server certificates as well → search for “Origin certificates”

sdayman · March 25, 2020, 12:06am

Your CSP does not match what I posted. Here’s yours:

content-security-policy: img-src http: https:; block-all-mixed-content; upgrade-insecure-requests

system · April 23, 2020, 9:01pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
SSL problem with Wordpress URL Security	4	5899	September 10, 2020
Issues with SSL Security	8	3674	June 13, 2020
Mixed Content; Injecting 5 http:// image links, not in source code Security dash-ssl-tls , dash-errors , dash-troubleshooting	6	1913	June 8, 2019
Mixed Content error for Full SSL certificate Security error , dash-ssl-tls , dash-errors , dash-troubleshooting	8	5637	December 17, 2018
How to configure for both http and https content Security	7	2304	September 11, 2019

SSL Issue 'Not Fully Secure'

Related topics