You are here

For the past several years, websites everywhere have been gradually transitioning to the use of secure (encrypted) connections by default for all web traffic. This is referred to as HTTPS-Only. This federal government document describes the HTTPS-only standard and why it is important. Most of Lehigh’s websites have already been changed to comply with the new standard. However, the static websites that reside on the web server at have not been forced to comply until now.

Who is affected by this change?

Anyone who maintains a static website at Lehigh on the server, an area formerly known as “AFS space,” is affected by the change. This includes personal <username> websites, but it also includes some departmental and organizational websites that reside in “in-” (institutional) accounts.

What is the impact of the change?

Pages that are not correctly coded will have the following problems:

  • The page may not load or display completely, and elements of the page loaded by non-secure references to other web servers may not render or work as intended.
  • The client’s browser console, which typically is not displayed unless you click to reveal it, will be filled with error messages and warnings.
  • The security indicators for the page (the padlock icon in the address bar and associated text) will indicate that the page is not secure, despite having been loaded using HTTPS.

What needs to be done so that pages will work correctly?

Within a web page, all component parts must be loaded securely or problems will be detected, resulting in what’s called a mixed-mode error. For a page to be truly secure, not only must the code for the page be loaded securely, but so must all of the other parts of the page that are specified by that code.

The following process ensures that all parts of your pages(s) load securely by removing code that makes them load insecurely.

STEP 1: Open your web editor and inspect your pages for every component type listed in the table below. For example, search the text of the code for the less-than sign and first word, for example <img.

Note: You can ignore any components that begin with the code “<a href="URL">”, since those hyperlinks point not to an object within the page, but to another web page entirely, and are not relevant to the changes you’re making.

Type of page component HTML element and relevant attribute
Image elements <img src="URL" …>
Included external CSS stylesheets <link href="URL" …>
Included external Javascript scripts <script src="URL" …>
Embedded Shockwave Flash animations or Java applets <embed src="URL" …>
<object data="URL" …>
Embedded audio <audio src="URL" …>
Embedded video <video src="URL" …>
Inline frame <iframe src="URL" …>

STEP 2: Once you locate a place where a URL is being specified in the code, make sure it does not specify “http:” at the beginning. If it does, simply remove that part.

For example, if the URL looks something like the following:

change it to:


If there is no “http:”, leave the URL exactly as it is. For example, the following URLs do not need to be changed:


Repeat steps 1 and 2 for every occurrence of any of the specified components in the file.

STEP 3: Republish your web page(s) after you’ve made your changes. The process is considered complete (for any given page) in the absence of any security errors or messages in the web browser or the browser console. In addition to using the browser's built-in console, there are a few security-check tools that may help you identify and fix mixed-mode problems:

If you are having difficulty remembering how to access and edit your static website, you may find the information in the LTS Website Setup guide to be helpful. And, as always, if you have questions or encounter problems, contact the Help Desk (see below).

For additional help, please contact the LTS Help Desk at 610-758-4357 or