Website deployed but HTTPS, but requested an insecure XMLHttpRequest endpoint

PLEASE help us help you by writing a good post!

Current repository

github.com/tek6-scrumptious/cap3-scrumptious-coffee

was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint . This request has been blocked; the content must be served over HTTPS.

Hello Raboomar,

Unfortunately, the code repository linked says that the repo is empty.

However, directly looking at your site I can see that there are many requests to http://scrumptious-env-2.eba-ixgv7adq.us-east-1.elasticbeanstalk.com/ website that are blocked. That request is not https based so the browser is preventing them from being made.

There’re two paths that I would suggest here:

  • if that elasticbeanstalk website supports HTTPS, then use that version of the URL.
  • if the website does not support HTTPS, I would recommend using a proxy redirect rule. With this solution, you would define a redirect that says a certain URL pattern should call this separate service. This would make your call the same origin and use the HTTPS protocol as the rest of your site.

For the second option, this is what steps it would take:

Add the following to _redirects file

/elasticbeanstalk/*  http://scrumptious-env-2.eba-ixgv7adq.us-east-1.elasticbeanstalk.com/:splat  200

Update the code so that all requests that would call http://scrumptious-env-2.eba-ixgv7adq.us-east-1.elasticbeanstalk.com/ now call /elasticbeanstalk/. For example, http://scrumptious-env-2.eba-ixgv7adq.us-east-1.elasticbeanstalk.com/add would be /elasticbeanstalk/add.

That should mitigate your browser mixed content error which is blocking your request.

I hope that helps!

2 Likes

The Web currently as of 2022 is supposed to be all HTTP and even TLS 1.2 is being deprecated. It is meant now to be connecting when you are serving from tunnel to tunnel in a way when you think about it from HTTP to https there should be no more site especially on your e-commerce or production site that reference or make connections to any hedp sites. Using the proxy suggestion that someone had introduced has more attacks surface and more vulnerability possibility by including third parties and it is not recommended. If it is absolutely imperative to make a connection to this HTTP site maybe you could contact your administrator and ask why the heck they’re running HTTP in 2022 because it is a nineteen ninety-eight sing now. Or perhaps browse over to https://rapiddns.io, type in just a domain name or the IP and look at all the other associated hostnames in subdomains with that domain. Look for anything called API or perhaps any other links that may allow you to connect to an https site also last thing I can suggest was run a port scan on the HTTP site and make sure you include all ports TCP and perhaps the running a SSL service on atat who knows. Best bet they’ll contact support of that place