Security Issue on Nginx Website

Recently, Nginx reported a security issue on their blog about Rapid Reset Attack on HTTP/2 and while I was checking the blog, I figured out they have also mixed content security issues on the site. I wrote a comment about it on their blog.

Later I checked all their website and I saw they use WordPress as their CMS and most probably the website address is set to http://nginx.com instead of https://nginx.com. So the whole site has mixed content security issues. I wrote it again to the blog comment but my comment is not approved (yet 🙂 ).

I’m copying & pasting my comment below and let’s hope Nginx will fix their website soon. I also informed Nginx via their info email.

Yes, it is.

Chrome desktop does not show this error, but mobile version shows.

The problem is some files are loaded from http protocol on this https page. I see this error often on mobile and I wrote a blog about it, which includes how to fix it.

You can see the image is loaded from http on attached screenshot.

As you are using WordPress for content management, you can change website url from http://nginx.com to https://nginx.com which will solve the problem for future content. For existing content, you need to make search & replace in the database.

I see you also have links to http version of nginx.com in your pages, so you had better to use a search&replace output filter for WordPress, there are already some plugins written for this functionality.