Dealing with Security issues?

Crawl your website with Sitebulb for 300+ tech SEO checks

Try for Free
High This Hint is very important, and definitely warrants attention. Issue This Hint represents an error or problem that needs to be fixed.

Loads page resources using protocol relative URIs

This means that the URL in question loads in resources using protocol relative URLs, which can be requested over HTTP and as such represent a security vulnerability.

Why is this important?

Protocol relative syntax has become relatively common over the last few years, as HTTPS adoption has spread, as it conveniently eliminates the need for developers to construct URLs based on the user's current security context. If this syntax is used on an HTTP page to include something from a CDN, it retrieves the HTTP version. If the user uses it on an HTTPS page, it retrieves the HTTPS version.

However, allowing the snippet to request over HTTP opens the door for attacks like the Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.

What does the Hint check?

This Hint will trigger for any internal URL (either HTTP or HTTPS) which includes resource links using a protocol relative URI.

Examples that trigger this Hint

Consider the URL: https://example.com/page-a

The Hint would trigger for this URL if it loads even a single resource using a protocol relative URI:

JavaScript resource link using protocol relative URI:

<script src="//code.jquery.com/jquery-2.2.3.min.js"></script>

CSS resource link using protocol relative URI:

<link href='//fonts.googleapis.com/css?family=Istok+Web' rel='stylesheet' type='text/css'>

Image resource src using protocol relative URI:

<img src="//example.com/img/logo.png">

How do you resolve this issue?

You should use only https:// URLs when loading resources on your page (even if these are 3rd party resources that do not live on your own domain). For each URL that loads protocol relative resources, update the resource references to point to the HTTPS counterparts, using absolute URIs.

In some cases, you may find that the resources in question are not available over HTTPS, in which case seek to do one of the following:

  • Include the resource from a different host, if one is available.
  • Download and host the content on your site directly, if you are legally allowed to do so.
  • Exclude the resource from your site altogether.

Further reading

Sitebulb Desktop

Find, fix and communicate technical issues with easy visuals, in-depth insights, & prioritized recommendations across 300+ SEO issues.

  • Ideal for SEO professionals, consultants & marketing agencies.

Sitebulb Cloud

Get all the capability of Sitebulb Desktop, accessible via your web browser. Crawl at scale without project, crawl credit, or machine limits.

  • Perfect for collaboration, remote teams & extreme scale.