HTTPS and Subresource Integrity
Verify external resource integrity with the integrity attribute.
Why HTTPS Everywhere
HTTPS encrypts data in transit and authenticates the server. Without HTTPS, attackers on the same network (cafe wifi, ISP, state actor) can read every byte and inject malicious content into responses. Modern browsers mark HTTP pages as "Not Secure" and many APIs (camera, geolocation, service workers) refuse to work over HTTP.
Mixed Content
Loading HTTP resources from an HTTPS page is mixed content. The browser blocks active mixed content (scripts, iframes, stylesheets) outright and warns about passive (images). Always load every resource over HTTPS; use protocol-relative URLs (//cdn.example.com) or absolute https://.
All lessons in this course
- Content Security Policy meta http-equiv
- XSS via innerHTML and How to Prevent It
- iframe Sandboxing and Permissions Policy
- HTTPS and Subresource Integrity