All Collections
Advanced
SSL / HTTPS
Force All Ads Secure with a Content Security Policy
Force All Ads Secure with a Content Security Policy

If you're getting insecure warnings for any Mediavine ads, we recommend setting a Content Security Policy. Find out how!

Jacob Feltner avatar
Written by Jacob Feltner
Updated over a week ago

While we and our ad partners do our best to make sure all advertisements are SSL-compatible, an occasional bad egg slips through the review crack. Unfortunately, all it takes is one insecure request to break that pretty green secure lock in the address bar and possibly compromise your site's security. Luckily, there's a solution - setting a Content Security Policy.

A Content Security Policy, or a CSP, can tell the web browser what to do when it runs into an insecure request. We recommend setting a CSP to "block-all-mixed-content" so that the web browser will automatically ignored any parts of an advertisement that attempt to load insecurely. This way you'll to get a green secure logo and the ad simply won't render. While this isn't ideal, it's certainly preferred to a broken SSL lock.

First thing's first: Check to see if your SSL is working properly and that you don't have any existing insecure assets(images, files, etc) on your site. This is important since the solutions below will block insecure assets from loading. Get the url of a popular post and check it on this site. If you see "SSL Connection - Pass" and "Mixed Content - Pass", then you can apply the CSP according to the instructions below.

If you don't pass, then that means you either need to reach out to your host with regards to your SSL implementation or have them help make the insecure assets on your site secure.

So how do you enable this CSP? There's 2 ways:

  1. Wordpress: In this case, you should be running the Mediavine Control Panel plugin. In that plugin's settings you can enable setting "Block Insecure Assets," which will set this up automatically for you.


    Click "Save Changes" and clear the caching from any caching plugins you may have installed. If in the rare case you find that this setting isn't applying the CSP, then we advise working with your host to see if they can apply the block-all-mixed-content CSP on their end.
    ​

  2. Non-WordPress: If you don't have access to your server, such as with a hosted platform like Blogger, SquareSpace, etc. the next best alternative is to set a meta tag. You can do this by putting the following code anywhere between your <head></head> code:
    ​
    ​<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />
    ​

Note: If you find that your site has the upgrade-insecure-requests CSP active, this will prevent the block-all-mixed-content CSP from applying. If this is the case, reach out to your host to see if they can remove the upgrade-insecure-requests CSP.

Did this answer your question?