Form is not secure. Autofill has been turned off

[peachi]

https://www.bellinigirl.com/

I have had issues with both my url and zen secretadmin pages being not secure for the last few days. I have been reading all through the forum trying to figure it out and I can't. My web developer no longer does this work. I am trying to figure this out on my own. I have been emailing with my hosting company. My hosting company said they have switched my traffic to https and now the padlocks are back on both sites. BUT, Now when i go into admin, catalogs, products, edit and try to type in the description box it says:This form is not secure. Autofill has been turned off. in red. when i try to preview my page I get the same error message I would get when my urls were not secure: The Information you are about to submit is not secure. Could I please get help! :)

[peachi]

My hosting company said
I was able to replicate the issue. From what is currently done the SSL is up and running and all the required SSL redirects are in place. The config file for the site is updated to use the SSL. From what I could research It's because the page is encrypted (HTTPS) and the submit form isn't (HTTP). I have tried a few things but to no avail.

Does anyone know how to encrypt the submit form to HTTPS?

[lat9]

Noting that zc151 is very, very old ... but you might try setting (for both the /admin/includes/configure.php and the /includes/configure.php) both the HTTP_SERVER and HTTPS_SERVER settings to use https:// protocol.

I'm guessing that your HTTP_SERVER settings are as define('HTTP_SERVER', 'http://bellinigirl.com') and am suggesting that you change that to define('HTTP_SERVER', 'https://bellinigirl.com);

Remember, too, that the storefront version of that file is going to be marked read-only!

[swguy]

More details, if needed:

https://docs.zen-cart.com/user/insta...rt-in-zen-cart

[peachi]

Thanks - i don't know if the storefront version is marked read only being good or bad ? I apologize for my ignorance.

I do have a secured SSL certificate

I included some snipet of code in my htaccess file through my cpanel that helped stop the additional screen coming up when I click within zencart to "update" or "save" after i edit. but I'm still getting "This form is not secure. Autofill has been turned off" when I try to edit any of the products.

here's the code i added to the top of my htaccess file through cpanel- and saved.

<IfModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

I'm in the USA, There's a UK Flag icon next to certain boxes within my zencart.(product, product description) And my hosting company thinks that may be an issue?

The hosting co. had emailed the following:

We have verified the mixed content error is not longer showing up. I've checked several search results. Chrome does some background checking to determine if it thinks a form is secure; this can be either SSL or code related. We noticed an insecure image on the page that's not being mentioned scan we did.



It's the language icon next to the form. This might be what is triggering Chrome to flag it as insecure however, we were unable to confirm that. We even tested by overriding the HTML with a secure link and it was fine. Therefore it could be something in how the code is designed. It could also be that there are many http:// links on the page, and these are being upgraded by security policy, though it cannot be verified if they are still considered insecure for sending data.

Bottom line, what else should I do to secure my site so i can get back up and running.
thanks!!!!!!!!!!!!!!!!

[peachi]

my hosting company also told me my version of cpanel is cPanel/CentOS 7 server

[peachi]

This code is from my public_html/includes/configure.php. I am not certain if this is the "/admin/includes/configure.php" you requested or the "/includes/configure.php". Perhaps you could please tell me how to find the location of both and which one my public_html is...I copied a portion of the code that has http in it. Should I change ALL instances of http to https? Thank you kindly

/**
* @package Configuration Settings circa 1.5.1
* @copyright Copyright 2003-2012 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* File Built by zc_install on 2013-10-09 07:36:35
*/


/*************** NOTE: This file is similar, but DIFFERENT from the "admin" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'http://bellinigirl.com');
define('HTTPS_SERVER', 'https://bellinigirl.com');

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'true');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
// these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_DOWNLOAD_PUBLIC', DIR_WS_CATALOG . 'pub/');
define('DIR_WS_TEMPLATES', DIR_WS_INCLUDES . 'templates/');

define('DIR_WS_PHPBB', '/');

[peachi]

thank you

[peachi]

where might i find that file HTTP_SERVER?

[peachi]

Noting that zc151 is very, very old ... but you might try setting (for both the /admin/includes/configure.php and the /includes/configure.php) both the HTTP_SERVER and HTTPS_SERVER settings to use https:// protocol.

I'm guessing that your HTTP_SERVER settings are as define('HTTP_SERVER', 'http://bellinigirl.com') and am suggesting that you change that to define('HTTP_SERVER', 'https://bellinigirl.com);

Remember, too, that the storefront version of that file is going to be marked read-only!

i am sorry. i think i've really confused myself. I believe what you are saying is to add an "s" right after 'http to the FIRST line that reads...define('HTTP_SERVER', 'http://bellinigirl.com'); so that both HTTP servers have an "s" after http?


define('HTTP_SERVER', 'http://bellinigirl.com');
define('HTTPS_SERVER', 'https://bellinigirl.com');

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'http://bellinigirl.com');
define('HTTPS_SERVER', 'https://bellinigirl.com');