Scanning Https For Mixed Content

making its piece of occupation a ranking betoken inwards Google search algorithms. HTTPS essentially establishes secure encrypted connections to the cloud. Google farther raised the stake of non using HTTPS past times announcing that, get-go inwards July 2018, the Google Chrome browser amongst the liberate of Chrome 68 volition grade all HTTP websites equally beingness insecure. The effect of non converting to HTTPS is that site visitors volition endure persuaded past times the alert message to bounce from your website.

Even earlier the impending drib dead date, Chrome too other pop spider web browsers such equally Firefox too Edge get got been alert visitors to HTTP-connected sites amongst an informational message.

Web administrators had taken take away heed too converted their websites to HTTPS, many taking payoff of the complimentary SSL certificates issued past times Let's Encrypt. However, if you lot get got successfully converted to HTTPS, your piece of occupation may non endure done. You nonetheless involve to verify that your website is properly recognized equally beingness secure. You desire to come across the padlock icon displayed adjacent to the spider web page's URL inwards the browser window.

To many administrators' surprise, fifty-fifty a properly converted HTTPS website may nonetheless endure marked equally beingness insecure. This is most probable due to the website's mixed content. For a spider web page to endure deemed secure, everything loaded past times that page must endure encrypted past times HTTPS. Influenza A virus subtype H5N1 spider web page amongst mixed content loads both encrypted equally good equally non-encrypted contents such equally images, videos, stylesheets too scripts.

While it is possible to manually spot mixed spider web content on a spider web page, checking a non-trivial website requires automation. Mixed Content Scan is a command-line spider web crawler which scans for mixed content. The balance of this postal service explains how to install too piece of occupation the tool.

Installation

Mixed Content Scan is a batch PHP application. To install the tool, piece of occupation composer, a PHP parcel dependency manager. For the latest instructions on how to install composer, delight call to this link. Note that the said physical care for installs composer inwards the electrical flow directory. Optionally, motility the executable to a globally accessible directory using the next command.

$ sudo mv composer.phar /usr/local/bin/composer 

To install Mixed Content Scan:

$ composer global require bramus/mixed-content-scan: 2.8 

The Mixed Content Scan executable is placed inwards /.config/composer/vendor/bramus/mixed-content-scan/bin.

Scanning for mixed content

To scan a website for mixed content, but render its URL equally an declaration to Mixed Content Scan:

$ cd  /.config/composer/vendor/bramus/mixed-content-scan/bin $ ./mixed-content-scan https://shadowofyourwings.com/ 

By default, the tool outputs the scan study on the terminal("standard output"). Alternatively, you lot tin specify an output file using the --output parameter equally follows:

$ cd  /.config/composer/vendor/bramus/mixed-content-scan/bin $ ./mixed-content-scan --output <some/file/path> https://shadowofyourwings.com/ 

You tin also piece of occupation the --ignore parameter to specify a file which contains URL patterns that the tool volition ignore too non scan. The instance site I piece of occupation is a WordPress website. The scanning tool comes amongst a sample ignore file for WordPress which is located inwards /.config/composer/vendor/bramus/mixed-content-scan/bin/ignorepatterns/wordpress.txt.



$ cd /.config/composer/vendor/bramus/mixed-content-scan/bin
$ ./mixed-content-scan --ignore= /.config/composer/vendor/bramus/mixed-content-scan/bin/ignorepatterns/wordpress.txt https://shadowofyourwings.com/
[2018-02-16 16:53:18] MCS.NOTICE: Scanning https://shadowofyourwings.com/
[2018-02-16 16:53:18] MCS.ERROR: 00000 - https://shadowofyourwings.com/
[2018-02-16 16:53:18] MCS.WARNING: http://gmpg.org/xfn/11
[2018-02-16 16:53:19] MCS.ERROR: 00001 - https://shadowofyourwings.com/about
[2018-02-16 16:53:19] MCS.WARNING: http://shadowofyourwings.com/wp-content/uploads/2017/05/peterLeung.jpg
[2018-02-16 16:53:19] MCS.WARNING: http://gmpg.org/xfn/11
[2018-02-16 16:53:20] MCS.ERROR: 00002 - https://shadowofyourwings.com/contact
[2018-02-16 16:53:20] MCS.WARNING: http://gmpg.org/xfn/11
... <output snipped> ...
[2018-02-16 16:53:38] MCS.NOTICE: Scanned 26 pages for Mixed Content


Mixed Content Scan numbers each page scanned, starting from 00000. In the inwards a higher house example, the About page (00001) has been flagged equally having mixed content. The sources of mixed content equally loaded past times that page are twofold:

1. Vulnerable ikon file.
   The peterLeung.jpg file is beingness loaded via the insecure HTTP connection. The cook is simple: larn to the WordPress management spider web page, too alter HTTP to HTTPS on the About spider web page.
2. Theme header profile
   The header of the default twentyseventeen WordPress subject contains a reference to http://gmpg.org/xfn/11. The code is inwards <document root>/wp-content/themes/twentyseventeen/header.php.
   
   Although the scanner reports its occurrence equally a violation, browsers mostly create non flag this equally a mixed content error. This fault tin endure safely ignored.

Share this post