CrankBerry Blog Title

(7) Comments

Why do I get "page includes resources which are not secure"

You just built a site, and have implemented SSL, but when you go to test it you get "page includes resources which are not secure". This is annoying but you need to fix it.

You can choose to ignore it as for most browser this message is not obtrusive but for some this may generate constant popups that will bug the hell out of your users.

There is only one reason why this message shows up but maybe multiple elements that contributes to this. The reason why this message appears is that on the page you're trying to load through SSL you have links to elements that are not secured through the layer. The warning is letting the user know that although the page maybe secure some elements could put the user at risk. It is essential to have this message. Image you're on a payment website about to type in your credit card and "BAM" this message pops up. What if it is the credit card module that is not secure? Wouldn't you worry? Let's see some of the elements that causes this.

Your Own Content

Depending on the way you apply SSL to your user there maybe a leakage in the elements that are secure. You can use HTACCESS to force SSL on a folder by placing this in .htaccess within that folder:

# Turn On for This Folder
RewriteCond %{SERVER_PORT} 80
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

This is assuming you have the rewrite engine and everything enabled. If you have a single file within the directory put into SSL this might be trickier. Look at the page and the elements it links to. Although the page maybe forced into SSL the images, scripts and CSS may not be (don't worry about included PHP scripts they don't count for this). The method that could work is to force those directory into SSL as well. Now this code is not perfect but it has worked:

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} ^/(image|css|javascripts)/?
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1/$2 [R,L]

Basically image, css and javascripts are locations (folders) where those files are located. Change these based on your files. Add more directories with | in between each name.


If you use a third party analytics tracker you may have pasted some sort of code at the bottom of your page. Depending on who you use they may not support SSL. If that's the case you can code it into your file to exclude the script from running. Here's a PHP example:

<?php if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { ?>
        //Analytics Script
<?php } ?>

Advertisement and Third Party Codes

Just like the analytics code above, third party codes may not have an SSL option for you. If you use a third party code on your site such as advertisements, widgets and feeds you may have to turn it off with the same code as above:

<?php if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { ?>
        //Ads, Widgets and Feeds
<?php } ?>

The downside is that on these pages you can't use the third party codes. Depending on the page, you may not want to anyways. For example, if you were using analytics on a checkout page, you may just want to check your database for actual analytics rather than hits and bounce rates.

This entry was posted on Thursday, March 3rd, 2011 at 11:51 pm and is filed under HTML, PHP, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Why do I get "page includes resources which are not secure"”

  1. how to make real money online how to make real money online says:

    how to make real money online…

    Why do I get "page includes resources which are not secure" | CrankBerry Blog…

  2. Jerry Jerry Low says:

    Chris, if your site is in PHP then you can use the PHP code but if the file extension on your files are .htm then you can't. Last I heard analytics is updated to support SSL, so there could be other elements that are linked in your page that's not secured.

  3. Chris Chris says:

    I got exactly this problem with our site.
    I put Google Analytics in the site. Could it come from there ?
    Also, I don't know anything about php.
    In you PHP example, could you please tell me where I should add the script and if I need to change "SERVER" by something else and if yes, by what ?
    Thanks for your help.

  4. Jerry Jerry Low says:

    Hey Bar Code, this seems a bit more complex and I don't know I'm skilled enough to answer that one for you. Sorry.


  5. Jerry Jerry Low says:

    Hey May, unfortunately as of right now Google's apps are still not supporting SSL connections. Its a shame and I may not see the full reason for it. I suppose for secure pages they can't transmit and gather the data they need that's why.


  6. May May says:

    Hi, great article, this what ive been trying to find, you see I am working on a site which has a valid ssl certificate but still generates an error. How about if the pages are in html? Is there a way to still put analytics?

    Many thanks,


  7. Is there any way to download site with only secure content and left unsecure when this message appears page include resource which is not secure?

Leave a Reply

Spam protection by WP Captcha-Free