Commerce over HTTPS errors


I am trying to establish a CMS site that uses completely HTTPS protocol, which is working, but when I try and access the commerce site via the manager integration, I am getting a lot of mixed content errors which is causing the site to not load properly.

Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure stylesheet ''. This request has been blocked; the content must be served over HTTPS.

I looked at the file and have updated that to use SSL, but that doesn't seem to make any bit of difference.  Why would the resources being requested by commerce be sent over an HTTP connection instead of an HTTPS connection?

Jul 14, 2016 17:00

I ended up adding a Content-Security-Policy: upgrade-insecure-requests response header which forced the content to be loaded via https, which seems to have done the trick.  Ideally, it would be great if Epi were to use the url from the web config from the cms, or else have a setting that allows you to change all the links to be https instead of http (perhaps I am missing that setting).

Nov 08, 2016 16:18

I've had a similar problem, but its actually on the Promotions section of Commerce Manager.  Whenever you use any fields to add SKU/Products that causes an ajax callback, it fails.  Initially it is the issue you mentioned above where I've added the HttpProtocol CustomHeader....  but then when that is in place you get a 302 redirect to the login page which fails ultimately.

I don't suppose you came across this did you later?  As i've been a bit stumped on this one now, tried all kinds of re-write rules.

Dec 12, 2016 17:50

Unfortunately, I am not using Promotions in my code, so I haven't come across this issue.

Dec 12, 2016 17:51

Ah ok - i'll keep on looking.  Thanks for the quick response

Dec 12, 2016 17:53

Commerce Manager does not work over HTTPS if the encryption is terminated at the load-balancer.

The views use CommerceHelper.GetAbsolutePath(string)

This little ****** uses the HttpContext.Current.Request.Url as a base for the absolute URL.

So, if the request is decrypted on the load-balancer, then the Site receives request using HTTP scheme, and thus will create absolute URL using HTTP.

Edited, Mar 21, 2017 21:51


We are working on this issue, it will be fixed in upcoming releases.



Apr 20, 2017 13:37

We have a fix for this in the upcoming release 10.6.0. If you want to test for the fix, contact us directly and we can send you a pre-release build.

Thanks & regards,


Apr 26, 2017 1:12

Commerce 10.6.0 was released yetserday.

May 16, 2017 18:26

Steven Carter: In which file did you add the Content-Security-Policy: upgrade-insecure-requests response header?

Sep 20, 2017 9:26
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.