Security Mix Content


// Security - Mixed Content:

If the application uses resources both over HTTPS and HTTP, because the content 
is served over an unencrypted channel, an attacker can potentially exploit the 
connection between the client and the server and inject malicious content.  

At the very least, the attacker may be able to steal the session ID if other 
protection is not used, such as the secure flag and the HTTPOnly attribute.

If the resource included contain active content such as JavaScript libraries, 
an attacker can run client-side code resulting in phishing, senstive data 
disclosure, or redirection to malicious sites.

If we need to send data to an external site, make sure that we:

1. Do not pass sensitive information as part of the URL ( this information 
    might be exposed in the log file ).  If we need to pass sensitive 
    information as part of the request, use POST instead of GET.
2. Use HTTPS
3. Do not ignore any SSL certificate warning
4. Protect the private key that is used by the web server (this private key
    should not be available outside of the web server itself).
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License