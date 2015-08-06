You know how AppScan Standard and other dynamic testing tools report a finding when an HTTPS page accesses some HTTP resources? How do you fix this issue effectively?

Perhaps, the owners of those resources already did all the server-side legwork: obtaining a certificate, configuring the server and setting up redirects. And they've ensured that the content is accessible at the same host and path on a secure scheme. However, it can still be very resource-consuming for a company to re-write all their code and to add that “s” at the end of each HTTP source, even though the resource server already has SSL enabled. To address this, Content Security Policy introduced a new directory: “upgrade-insecure-requests."