Description
When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS, protecting it from most sniffers and man-in-the-middle attacks. However, if the page includes content fetched using cleartext HTTP, it becomes a mixed content page. Such pages are only partially encrypted, leaving the unencrypted content vulnerable to sniffers and man-in-the-middle attackers. Passive content, such as images, audio, or videos, controls the appearance of the webpage and is often referred to as display content.
Recommendation
Ensure all resources are loaded using the HTTPS protocol to prevent mixed content issues and enhance overall security.
References
Related Issues
- X-Content-Type-Options Header is Missing - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- Content Character Encoding is not Defined - Vulnerability
- @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Ori - Vulnerability
You might also like:
- Tags:
- SSL/TLS
Anything's wrong? Let us know
Last updated on May 13, 2024