How can I make a website partially unsecure? - http

I have a website that uses HTTPS so it is secure by default.
I am aiming to send some HTTP requests from the website, but the problem is that modern versions of web browsers do not allow the use of HTTP requests inside of HTTPS sites.
So, what I am trying to do here is to make a portion of my website un-secure using HTTP instead of HTTPS, so that I can send the requests I want.
Is that possible?
If there are any other suggestions to send HTTP requests, please help me with it.

Related

Why detect HTTP protocol instead of just use '//' for linked content like JS, AJAX, CSS, etc?

I've seen lot of software that tries to determine if current protocol is HTTP or HTTPS, mainly to output links and avoid the Mixed content error.
Usually the software checks some server variables (for example, $_SERVER['HTTP'] in PHP, see this question: PHP Get Site URL Protocol - http vs https).
This method may work, but fails for example when you have a reverse proxy that receives SSL traffic and requests content to a web server over HTTP (so when the software checks the HTTPS status it's off). Web server will response with HTTP links but content is actually server over HTTPS.
There's a simple solution for this: just use links without protocol: '//' instead of 'http://' or 'https://'.
So, my question is: is a better practice to detect current protocol (http or https) instead of just using default protocol for content links (CSS, JS, images, AJAX, etc)? If yes, why is this?
Using '//' works, but it means your resources must be available with http and https.
So you can simply use 'https://' so you are sure to always use the secure connection, and avoid mixed-content errors.
(Of course, the most secure option is to always use https, with a 301 redirect on http and HSTS)

HTTP on a HTTPS Website

I was just wondering this small little question. I know it is irreverent to coding, but I just had to know quickly.
If you type in http:// for a https:// will it still take you to the correct place?
That is mostly dependent on the server configuration. The server has to accept the initial HTTP request and be configured to redirect the client to an appropriate HTTPS url.
That being said, there are some Internet standards related to automating HTTP-to-HTTPS upgrades. HTTP Strict Transport Security and Upgrade Insecure Requests allow an HTTP/S server to tell clients that it wants them to automatically use HTTPS for all subsequent requests. If a client visits an HSTS/UIR-enabled server, it will receive a normal HTTP response with additional HSTS/UIR-related headers. If the client supports HSTS/UIR, it will then know to automatically send all subsequent HTTP requests to that same server using HTTPS, and in the case of UIR also treat any received HTTP URLs as if they were HTTPS URLs.

Website displays differently in https from http. How to fix that

Sorry for this stupid question but
Can someone suggest why the following website is displaying differently in http and https? Here are the two links
https://www.sportengland.org/careers/jobs-at-sport-england/
http://www.sportengland.org/careers/jobs-at-sport-england/
the content is not displaying properly in http website is iFrame content.
Basically, the HTTP or HTTPS protocol will not effect the format of the page.
It might be because they have hosted the site in two hosting one with SSL (HTTPS) and another with non SSL (HTTP).
And there could be chance that they updated one application and not done the same changes in another.

How can I disable HTTPS/SSL on a specific page in Meteor?

On one of the pages in on my website, I need to have an iFrame that often displays content from http sites. I haven't found a way to display that information on my https page.
After looking around, I think the best solution might be to remove https from some of those pages. Is that possible in Meteor using Iron Router or some other tool? Or is there any way to make the iframe content display?
Meteor does not support HTTPS by itself. The way to do it is to place a component in front of Meteor (like haproxy or nginx) that will perform the SSL offloading and send plain HTTP requests to Meteor. So the SSL connection is actually between the browser and the proxy in front, let's assume it is nginx. nginx will then forward all requests to Meteor as http.
As such, Meteor is not necessarily aware that https traffic is happening. Therefore you do not need to adjust anything inside Meteor or with Iron Router. Unfortunately there is no way to trick browsers into accepting http iFrames inside https sites, even if you were to tinker with nginx settings.
You options are to either include the external content on your server and proxy it (you could configure nginx to proxy the request to an external site and talk http to that data provider and serve https to the browser, just like you would for the Meteor server) or somehow bring the content into your Meteor app to serve it by itself.

ASP.NET HTTPS/SSL Caching and Dynamic Pages

I have an IIS6 ASP.NET 2/3.5 site that ALWAYS seems to be caching anything that goes through a https request. HTTP requests always work the same, but i see old/invalid data on https requests.
I see this a lot with pages where i'm doing http rewriting--but in general, it almost seems like the site has one set of values it shows to http requests and another to https requests-- without having any backend code that renders differently based upon the scheme.
Any ideas? Does IIS have a weird ssl caching option i'm not aware of?
The ports were set up wrong in IIS-- although the domain was correct because i was using port 443 it got forwarded to another site (because of host headers setup).

Resources