web.dev LIVE has kicked off! Join us now for our digital event from June 30th to July 2nd at web.dev/live

Understand Security Issues With Chrome DevTools

Use the Security Panel in Chrome DevTools to make sure HTTPS is properly implemented on a page. See Why HTTPS Matters to learn why every website should be protected with HTTPS, even sites that don't handle sensitive user data.

Open the Security panel

The Security panel is the main place in DevTools for inspecting the security of a page.

  1. Open DevTools.

  2. Click the Security tab to open the Security panel.

    The Security panel
    Figure 1. The Security panel

Common problems

Non-secure main origins

When the main origin of a page is not secure, the Security Overview says This page is not secure.

A non-secure page
Figure 2. A non-secure page

This problem occurs when the URL that you visited was requested over HTTP. To make it secure you need to request it over HTTPS. For example, if you look at the URL in your address bar, it probably looks similar to http://example.com. To make it secure the URL should be https://example.com.

If you've already got HTTPS set up on your server, all you need to do to fix this problem is configure your server to redirect all HTTP requests to HTTPS.

If you don't have HTTPS set up on your server, Let's Encrypt provides a free and relatively-easy way to start the process. Or, you might consider hosting your site on a CDN. Most major CDNs host sites on HTTPS by default now.

Mixed content

Mixed content means that the main origin of a page is secure, but the page requested resources from non-secure origins. Mixed content pages are only partially protected because the HTTP content is accessible to sniffers and vulnerable to man-in-the-middle attacks.

Mixed content
Figure 3. Mixed content

In Figure 3 above, clicking View 1 request in Network panel opens the Network panel and applies the mixed-content:displayed filter so that the Network Log only shows non-secure resources.

Mixed resources in the Network Log
Figure 4. Mixed resources in the Network Log

View details

View main origin certificate

From the Security Overview click View certificate to quickly inspect the main origin's certificate.

A main origin certificate
Figure 5. A main origin certificate

View origin details

Click one of the entries in the left-hand nav to view the origin's details. From the details page you can view connection and certificate information. Certificate transparency information is also shown when available.

Main origin details
Figure 6. Main origin details

Feedback

Was this page helpful?
Yes
What was the best thing about this page?
It helped me complete my goal(s)
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It had the information I needed
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It had accurate information
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It was easy to read
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
Something else
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
No
What was the worst thing about this page?
It didn't help me complete my goal(s)
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It was missing information I needed
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It had inaccurate information
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
It was hard to read
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.
Something else
Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.