- The scope of this article is limited to the two primary causes of browser-generated security-related warnings encountered by Four51 Support
- Not all browsers behave the same way and browser authors routinely update security standards to protect users
- These warnings do not mean that the site is compromised, but they should be taken seriously and fixed
Nonetheless, this article gives you a starting point for trouble-shooting. The two primary causes of any type of "not secure" warning are SSL certificate problems and content delivered over http, AKA mixed content.
For example, Chrome may display a "not fully secure" error because of mixed content. Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. Here's a real-life example, with the URL slightly altered: the mixed content is http://www.four51.org/Themes/Custom/[guid]/[catalog name]/images/Header.png. In the partials/branding.html HTML override, that file is hardcoded as http when it needs to be https. Making that change will eliminate the security-related error.
Turning now to SSL certificates, often called "certs," an SSL certificate gives a protected site the padlock icon next to its URL in the address bar. That icon’s proof to visitors that all data (especially their data) is encrypted so it can’t be stolen, altered or misused. A site with an invalid or expired SSL cert will throw a security-related error. If you see this on a Four51 Storefront website built for one of your customers, please contact your IT team. If you determine that the cert was issued and managed by Four51, please submit a case.
As noted above, there are other types of site-security warnings with other root causes. Our goal here is to give you some background on two relatively common issues so you can begin the trouble-shooting process.
In other news, Google recently began rolling out gradual changes to the Google Chrome browser to block mixed-content rendering and mixed-content downloads. Starting in January 2021, Google will begin to block HTTP file (images, docs, pdf) downloads from an HTTPS site by default.
This may affect your end users’ ability to access non-HTTPS downloads or images started on secure pages within Salesforce.
- Images
If a user is viewing a secure webpage (HTTPS), and if any of the content displayed as part of the webpage is hosted on a non-secure link (HTTP), then the content (for example, image or video) will be displayed as a broken image. - Downloads
If a user is viewing a secure webpage (HTTPS), if there is a download link or attachment in the webpage, and if the corresponding content is hosted on a non-secure site (HTTP or FTP only), then clicking on the link will result in error.