====== How to avoid security warnings on secure pages ======

===== Why it happens =====

If a page is loaded on the HTTPS protocol (e.g. //<nowiki>https://www.YourStore.com/shop/pc/OnePageCheckout.asp</nowiki>//), but one or more elements included in the page are being loaded using the HTTP protocol (e.g. //<nowiki><script type="text/javascript" src=" http://www.google-analytics.com/urchin.js "></script></nowiki>//), then a security warning message like the one below might be shown.

{{:productcart:screenshot_ie_problem.png|Example of a security warning message}}

Note that not all browsers show these alerts with the same degree of visibility (could be just an icon in the status bar). In Internet Explorer 8, for instance, they are very visible (see screen shot above) and can very negatively impact your drop-off rate (customers become uncomfortable with your store's security and leave the store).

===== Linking vs. loading content =====

Security warnings are not caused by "links" to pages or other content, but rather by the way files are **loaded** onto the page itself. The type of files that are loaded onto a Web page (and that typically cause this problem) include:

  * **Images** (e.g. <img src="http://www.mystore.com/images/myImage.gif"> would cause the issue)
  * **Cascading style sheets** (*.css files)
  * **JavaScript files** (*.js files)
  * **Flash animations** (*.swf files)
  * ...

===== How to fix the problem =====

To fix the problem you simply need to eliminate any code that loads elements onto the page via the HTTP protocol, and replace it with code that loads the same content either locally or via HTTPS.

Do the following:

  * Download //pc/header.asp// and //pc/footer.asp// 
  * Open both files with an HTML editor
  * Make sure that all files (see examples above) are loaded with either relative links (e.g. src="../../images/myImage.gif"), relative absolutes ("/images/myImage.gif") or absolute links that use the HTTPS protocol (e.g. src="https://www.mystore.com/images/myImage.gif"). This includes any third-party script (including tracking code from Google, Yahoo!, etc.).

When using third-party scripts, make sure that you are using the HTTPS version of those scripts. Vendors sometimes make both the HTTP and HTTPS version available. Choose the HTTPS one.