The general push to use SSL/HTTPS for every web site is improving security and privacy on the Internet. However, every request a web site makes will need to be secure, or browsers can remove the ‘Secure’ indicator, show a warning symbol, and sometimes pop up errors.
You can add a simple header that will tell browsers to report back to your server if any insecure requests are made. I combined this with a simple PHP script that logs to the server’s error log. This alerts me to sites I host and develop that have insecure content, so I can fix them.
Step 1 — Add the Content Security Policy reporting header
add_header Content-Security-Policy-Report-Only "report-uri /csp-report-endpoint.php";
Step 2 — Add PHP Script
Add this simple PHP script as csp-report-endpoint.php:
<?php error_log(file_get_contents("php://input"));
Now, when a site attempts to load an insecure resource, you will get a message in your error log, and you can use this information to fix your site.