Javascript and jQuery not secure over https

  • I am building an ASP.NET MVC 3 app which will run in Azure. Everything was working well, until I switched to https. Now most of my jQuery plugins and some other javascript are not secure.

    I'm using the Datatables library as well as jsTree, watermaks and breadcrumbs. Most of this script is to make our site look appealing.

    Is there a way to make this secure? Or is it time to move a very lean javascript site?

    Thank you for the help!

    Please describe what you mean by "not secure"

  • user2213

    user2213 Correct answer

    9 years ago

    I serve my entire site over https, jquery included.

    The trick is to use a CDN for jQuery that supports https, or deploy the code to your own site and include it from your domain. In code, for example:

    <script type="text/javascript" 

    Works fine and will show up as a secure element.

    Now, is that actually secure? Well, I generally trust Google APIs as a CDN and the content I have is not that crucial - however, if I wished to ensure I had total control of the jQuery deployment, I could just host it myself:

    <script type="text/javascript" 

    Both will work fine. Bottom line: you do not have to deploy jQuery from the CDN, however, if you want to, at least one of them supports https (others may, I looked no further).

    An aside to consider - one of the reasons for accessing code from the CDN was to always have the latest version of the jQuery code. Deploying it yourself, you do lose this immediacy - you also gain a slight buffer against breaking updates, although hopefully that shouldn't be an issue.

    Thank you for the help, you are exactly right! This was the issue that I suspected, but for some reason over looked it when debuging... I have no Idea how I missed it.

    Should also make sure all CSS, pictures and such on the page are also using https src links.

    Have you considered using HTTP-Strict-Transport-Security (HSTS)?

    @Rook HSTS does not help with getting http content displayed in https sites because HSTS rules are not applied until the https version of the site has been visited once.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM