Spoiler alert: If your website is not 100% secured by Feb 2021, it won’t work in Chrome.
Ok, this headline does sound a bit dramatic, but it’s still true. And the devil is in the detail.
For some time now, lots of websites have been delivered securely using https (and its reassuring little padlock). However, many sites have individual bits of content that are not delivered so securely. Remember that each image on your site is a separate request and could come from a different place. So that even if the main page/base page is secure, the images might come over a non-secure connection.
This was quite common for a while. We did not typically care too much that some images were not secure as they were typically not as confidential, and we wanted to save our SSL processing power for other pages.
As security concerns and challenges have increased, Google (and others) have encouraged us not to use what they call “Mixed content” pages by displaying various warning messages.
Google has now had enough of the gentle approach and starting with Chrome version 80, released to the development channel in Jan, things are getting a little medieval.
Chrome will now mark HTTPS pages with mixed content as Not Secure. It will also attempt to auto-upgrade those with mixed content to HTTPS, but if it fails it will just block them outright.
This is expected to be fully implemented in Chrome 81 released in February 2020.
What can I do?
Ensure that all your pages are served over an secure SSL connection. You can use tools like chrome developer tools to see what sort of content you are being sent.
How can I force my application to only use HTTPS.
You could reconfigure all your application servers and web servers to force HTTPS. Alternatively, you can simply use an Edgenexus flightpath rule to fully secure the site with SSL offload. That will save you time, reduce stress and make Chrome happy.
Flightpath is an advanced traffic magic management tool that sits at the heart of the Edgenexus Load Balancer/ADC platform. It’s easy to use, but very powerful.
Some example rules:
Redirect HTTP to HTTPS
This simple rule will redirect anyone wanting to visit a web page with the path /secure to an HTTPS version of the site.
Fix URLs in my code to change them from HTTP to HTTPS
Some applications may have been designed to be HTTP only and as such URLs may be hardcoded with HTTP://.
The following rules will find these in the page and fix them on the fly.