use-https¶

Added in 0.2.10 · Related issues · View source

Fix is always available.

What it does¶

Checks for http:// URLs in HTML attributes that load or link external resources.

Why is this bad?¶

http:// traffic is unencrypted and can be intercepted or modified in transit. Modern browsers also block mixed content (HTTP subresources on an HTTPS page), so a single http:// URL can silently break the page.

Prefer https:// for all external links and subresources.

Example¶

<a href="http://example.com">Link</a>

Use instead:

<a href="https://example.com">Link</a>

Fix safety¶

This rule's fix is marked as unsafe: rewriting the scheme changes which endpoint the browser use. The host may not serve HTTPS at all, so the fix can break a link or subresource that previously worked over HTTP, and even when HTTPS is available it may serve different content .

References¶

• MDN: Mixed content
• WHATWG Fetch: HTTPS state