Browser security warnings after installing SSL certificate

Winhost > SSL
Some of the most popular web browsers now display an "insecure" warning when visiting pages that are not accessed via HTTPS. The "insecure" warning may also be triggered on an HTTPS connection if certain page elements - such as images or external scripts - are not accessed via HTTPS.
 
After you have installed an SSL certificate for your domain there are still some things you may need to do to prevent any "insecure" warnings in your visitor's browser. If you install an SSL certificate but don't properly direct site traffic to use it, you will get the warnings.
 
That's because installing an SSL certificate makes https available, but it does not automatically send your visitors to an HTTPS URL. To force all incoming connections to use HTTPS you'll want to add an entry to the system.webServer element of your web.config file (go ahead and create the file if you don't already have one) that uses the IIS URL rewrite module to redirect all non-HTTPS traffic to HTTPS:
 
 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to https" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
 
That will take care of forcing all incoming connections to HTTPS, though for the sake of consistency you may also want to update your site navigation and internal links to use the HTTPS URL.
 
If you still see insecure site warnings after implementing the URL rewrite, try:
 
  • Updating local image links (also references to images or scripts from outside of your domain) that use an HTTP absolute path URL to use the HTTPS URL.
  • If you're using a database-driven application like WordPress, you may have to update the HTTP URLs in the database. There are "find and replace" WordPress plugins that can help with that.
Article ID: 1465, , Modified: 12/5/2018 at 2:04 PM

Was this article helpful?

Share this article