SSL Issue 'Not Fully Secure'

https://norstartrader.com
I get the https but it says it is not fully secured.

I’ve waited 36 hours…with no further changes.

https://community.cloudflare.com/search?q=not%20fully%20secure

It seems to be an issue with images… the path in wordpress is http
I don’t know how to change this in wordpress.
When you select an image it defaults to http…i guess because that is all that is on my server.

i’m unable to create a path for images with https

I turned automatic http rewrites on and off…no difference

My silver bullet is HTTP headers for CSP. This plugin will do it:

With this header:

Content-Security-Policy: upgrade-insecure-requests
1 Like

That seemed to work all but one page which is odd
http://norstartrader.com/investment-resources/

I tried to delete it from the menu and re-add it but for some reasons the check boxes don’t work in wordpress…another oddity.

SSL wise the biggest issue (assuming your server IP address ends in 98) appears to be that your server is not configured at all for SSL.

  1. There is no valid certificate for your domain.
  2. Not even the invalid certificate returns your site’s content but only the default page
  3. Your server’s SSL configuration overall is outdated and uses TLS 1.0, which has been deprecated in most browsers and is insecure.

You should contact your host and have all of that addressed.

Sorry I have little knowledge of any of this…
I was under the impression that I didn’t need SSL for my domain because cloudflare did that.
But from what I read my domain needs a valid certificate. I can buy that for $40.
I will send the hosting company Site5 what you have written here

Thank you!

Cloudflare cant do that, as Cloudflare can only protect the first leg. The second leg is up to your own server and is currently still insecure.

As for buying a certificate, that is certainly an option but there are plenty of free options out there. Lets Encrypt is one and Cloudflare offers free server certificates as well -> search for “Origin certificates”

Your CSP does not match what I posted. Here’s yours:

content-security-policy: img-src http: https:; block-all-mixed-content; upgrade-insecure-requests

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.