SSL/HTTPS Mixed Content Warnings – How to Automatically Report Errors

The general push to use SSL/HTTPS for every web site is improving security and privacy on the Internet. However, every request a web site makes will need to be secure, or browsers can remove the ‘Secure’ indicator, show a warning symbol, and sometimes pop up errors.

You can add a simple header that will tell browsers to report back to your server if any insecure requests are made. I combined this with a simple PHP script that logs to the server’s error log.  This alerts me to sites I host and develop that have insecure content, so I can fix them.

Step 1 – Add the Content Security Policy reporting header

add_header Content-Security-Policy-Report-Only "report-uri /csp-report-endpoint.php";

Step 2 – Add PHP Script

Add this simple PHP script as csp-report-endpoint.php:

<?php
error_log(file_get_contents("php://input"));

Now, when a site attempts to load an insecure resource, you will get a message in your error log, and you can use this information to fix your site.