HTTPS URL contains a form posting to HTTP

This means that the URL in question uses the HTTPS protocol, but contains a form that posts to a HTTP URL.

Why is this important?

If a URL is loaded over the HTTPS protocol, this means all communications between the users' browser and the website are encrypted. However, if a form is hosted on this URL which posts to HTTP, this data will not be encrypted, and therefore not secure.

Browsers will typically display a security warning to the user each time they try to send data because the data will not be encrypted.

What does the Hint check?

This Hint will trigger for any internal HTTPS URL which contains a form that posts to a HTTP URL.

Examples that trigger this Hint:

Consider the URL: https://example.com/page-a

The Hint would trigger for this URL if it contained any of the following in the HTML:

Form POST to an HTTP URL:

<form action="http://example.com/form_submit.php" method="POST"></form>

Form without method to an HTTP URL:

<form action="http://example.com/form_submit.php"></form>

Form GET to an HTTP URL:

<form action="http://example.com/form_submit.php" method="GET"></form>

Form POST to an HTTP URL:

<form action="http://example.com/form_submit.php" method="POST"></form>

Form without method to an HTTP URL:

<form action="http://example.com/form_submit.php"></form>

Form GET to an HTTP URL:

<form action="http://example.com/form_submit.php" method="GET"></form>

Form GET to an HTTP URL using single quotes:

<form action='http://example.com/form_submit.php' method='GET'></form>

Form GET to an HTTP URL using no quotes:

<form action=http://example.com/form_submit.php method=GET></form>

How do you resolve this issue?

Users and website owners want data to be transferred securely, so the form's target URL should be delivered over HTTPS.

Further reading

• Sending form data (Mozilla docs)

Security in Sitebulb

Learn more about Sitebulb's website security audit