Secure content

Written by Jane Atkinson on . Posted in Documentation

HTTPS and Secure Content

Https is a protocol that encrypts the data going to and from a website so that other people can't easily read it in transit. (Note that it has nothing to do with the trustworthiness of the website's content.) It is rapidly becoming a requirement to use https for everything.

 

Modern browsers will give a warning in the location bar if you access a site over an open or unencrypted (http) connection.

These two images are from Firefox and a Chrome-based browser.

 Insecure address warning in Firefox    Insecure address warning in Chrome-based browser

 

Modern browsers will also give warnings when you try to enter a password into a webpage which uses plain http. These two screenshots are from the same two browsers.

Insecure login warning in Firefox    Insecure login warning in chrome-based browser

 

You may also get a warning if the website contains mixed content. In this context, it means a mixture of "secure" or https content and plain http content. Many modern browsers may refuse to display the http content at all. This means that you'll see blank areas instead of the image or other content.

Missing content due to http link

This is a YouTube link using http, leaving a blank area in some browsers.

 

Content visible with https link

This is the same page, but with the YouTube link set to https.

 

If you use the WYSIWYG editor to insert images, you won't have a problem. (It uses a "relative" form of the link, "/imageuploads/clubnumber/imagename", which works equally well with http and https.)

You are more likely to have problems with content imported from other sites. Examples include images hosted elsewhere, and embedded videos and iframes where content from another site is displayed directly in a window in your own site.

In this image, the link begins with https (circled in red) and it displays correctly when the site is accessed over a https connection.

Link with https URL 

 

If you are finding blank areas in your site where items are refusing to display, check the pages carefully for http links and change them to https.

In a few cases, if the site you're linking to doesn't use https, you get a error message and the content still won't display. Unfortunately, there's not much we can do about that.

 

A http link to another site in your public or members-only menu isn't affected by these limitations and should work without any problems.

 

Enforce HTTPS

You can set up your website to enforce https. This means that even if someone uses http in their location bar or bookmark / favorite, they will be redirected to the https address. This will help to avoid "insecure login" warnings.

The setting is in the Website Settings area of the admin console.

 HTTPS policy setting

Make sure that all your content can display over https before you enforce the use of https.