Using the Mixed Content audit tool in Lighthouse

Posted on by Alex Bolshakova

When a secure (HTTPS) site requests an insecure (HTTP) resource, that is called a mixed content error. Some browsers block insecure resource requests by default. If your page depends on these insecure resources, then your page might not work properly when they get blocked.

Figure 1. Google Chrome (version 66) blocking insecure content

Also, browsers may warn users that your page is not fully secure.

Figure 2. Google Chrome (version 66) reporting that a page is not fully secure.

How to use this audit

This audit is not run by default in Lighthouse, and currently requires that you have Chrome Canary installed. To use it, you will need to run the Lighthouse command-line tool. You can install Lighthouse using npm:

npm install -g lighthouse

To run the audit, you can use the included --mixed-content flag:

lighthouse --mixed-content http://www.example.com

This will create a new HTML report file in your current working directory.

Recommendations

For each URL that Lighthouse lists, modify your code to request that URL over HTTPS:

https://example.com

Rather than HTTP:

http://example.com

Even if you are not ready to fully upgrade your site to HTTPS yet, upgrading some URLS to HTTPS can increase the security of your users and make it easier for you to avoid mixed content warnings when you do upgrade to HTTPS in the future.

See a SEO’s guide to securing a website to upgrade your site to HTTPS.

Insecure resources which are not upgradeable to HTTPS may require other changes. Contact the providers of these resources to explore your options.

More information

Lighthouse loads the page once to record the URL of each resource requested. Then, Lighthouse loads the page again, but this time intercepts each request and tries to upgrade the URL to use HTTPS. If the upgraded requests succeed, Lighthouse reports that request as upgradeable in the audit results.

Read more

For those feeling intimidated by the prospect of switching to HTTPS, columnist Patrick Stox breaks down the process in a SEO’s guide to securing a website.

Stephanie LeVonne’s helpful comprehensive guide to SSL certificates. 

Here is original article.