开发者

Any tool available to detect what's not HTTPS on an encrypted page?

开发者 https://www.devze.com 2022-12-26 13:39 出处:网络
More often than I like when designers edit some of our sites\' pages, they include javascript or an external image our SSL pages that are not encrypted. For example if we have a page like this:

More often than I like when designers edit some of our sites' pages, they include javascript or an external image our SSL pages that are not encrypted. For example if we have a page like this:

https://www.example.com/cart/EnterCreditCard

And the designer includes some non-encrypted image like this:

<img src='http://www.cardprocessor.com/l开发者_运维技巧ogo.gif' />

Of course, this creates errors in all browsers:

  • IE: Do you want to view only the webpage content that was delivered securely?
  • Firefox: Connection Partially Encrypted
  • Chrome: (I forget this message)

What I'm looking for is a tool or plugin that lets me easily see what objects are not encrypted. A firefox extension or something along those lines would be great.

Edit: Ben pointed me in the right direction. If you're using Chrome, do a Ctrl-Shift-J to bring up the developer tools. Then click on Resources to see all the items on the page.


For completeness, since Firefox was mentioned:

If you use Firefox with firebug installed, you see all of the assets downloaded on the Net panel. Hovering over each line gives you the full URL, so you can quickly scan for those http: lines.


Try Fiddler - http://www.fiddler2.com/fiddler2/

It works with IE and FireFox. When you have Fiddler running and pull up a web-page, it shows all assets that are downloaded: JavaScript, Images, etc...

The SSL items will have a little "lock" icon next to them, while others will not. This tool is great for debugging Ajax too.


I develop with Safari and use resource tracking in the Web Inspector to see which resources are loaded from http://.


You could write a scanner to find non-relative references, and check if they are https. Depending on your process you could make it a build/publish phase to be passed before publishing it to production. If there is no appropriate process, you could always use it as a scheduled scan for changed content and create a trigger to be notified of violations.

But personally I would really try to reduce the manual work of checking every page via a browser plugin.

0

精彩评论

暂无评论...
验证码 换一张
取 消