Switching to HTTPS ahead of changes to Google Chrome

Serving over HTTPS is now increasingly viewed as a best practice for user privacy and security. Starting later in October, the Google Chrome browser will label pages with a "Not secure" warning in the address bar when users enter data on an HTTP page. This will impact all UNLedu Framework pages since the UNL site search bar is in the header of every page.

UNLcms Websites

Beginning October 1, 2017 sites hosted on UNLcms will be forwarding all http:// requests to their https:// equivalent. Read the "Code Changes" section below for code changes you may need to make.

All other websites not in UNLcms

If you visit your website by typing in its domain name (for example: yourdepartment.unl.edu) and it doesn't forward to https://yourdepartment.unl.edu (with the "s" in "https") then it's recommended that you add an SSL certificate to your server and redirect HTTP requests to their HTTPS equivalent. Contact your server administrator for assistance.

Code Changes for You to Make

tl;dr

  • Required: All Javascript file references and iframe embeds must use https:// in their URLs or must use a relative path.
  • Best practice: All images should use https:// in their URLs or use a relative path.

While your pages will now be served over HTTPS, they can include other assests such as images and Javascript files that are included over HTTP. This is called mixed content. While most users should be able to view passive mixed content (such as images) they will now be blocked from viewing active mixed content (Javascript included in separate files, <iframe> embeds).

Below are UNL related examples of a more complete guide to fixing mixed content from Google.

What you want to see (using Google Chrome):

screenshot showing the green secure padlock in the Google Chrome browser address bar

What you see if you have mixed content (using Google Chrome):

screenshot of google chrome browser showing a gray information icon indicating mixed content

Finding the Specific Problem

Using Google Chrome, the specific problem can be found by right clicking on the page, selecting "Inspect", then selecting "Console" in the panel that opens:

screenshot showing the Inspect item when you right click on the page

Also, Web Audit reports run after September 12 now include a Security section that will highlight these files.

Examples

If the file is on another site, often the HTTPS version of the content already exists and this just requires adding an "s" to the URL. (Change http:// to https://).

Before:

<script src="http://apis.google.com/js/platform.js" async defer></script>

Fixed:

<script src="https://apis.google.com/js/platform.js" async defer></script>

Before:

<img src="http://parking.unl.edu/images/zip_logo.png" alt="zipcar logo" />

Fixed: (if editing a page on parking.unl.edu)

<img src="images/zip_logo.png" alt="zipcar logo" />

Fixed: (if editing a page not on parking.unl.edu)

<img src="https://parking.unl.edu/images/zip_logo.png" alt="zipcar logo" />

Need More Help?

Ask a question in the WDN chat room!