In a PHP site I request images (user profile photos) from a PHP file, the image are loaded explicit using HTTPS as the entire site where HSTS are enabled.
The problem is that the site gives a "Mixed content" warning in Chrome and Firefox even though not a single asset are loaded using HTTP - all are either relative or explicit HTTPS in the sourcecode.
When I look at the network tab in Chrome developer tools, I can see that the image are initially requested using HTTPS but then a internal redirect 307 using HTTP are made, and finally the image are retrieved using HTTPS. HTTP request in Chrome network tab
The PHP file that returns the image has the request routed by index.php and .htaccess using a simple rewriterule
RewriteRule ^([^/.]+)/([^/.]+)/?$ index.php?action=$1&data1=$2 [L,QSA]
And the PHP file are very simple as well
if(!isset($_GET["f"]))die("filepath missing");
$file = APP."/filecache/".$_GET["f"];
if(file_exists($file)){
if(substr($_GET["f"],-3)=="jpg") Header("Content-Type: image/jpeg");
if(substr($_GET["f"],-3)=="png") header("Content-Type: image/png");
header('Cache-control: max-age='.(60*60*24*365));
header('Expires: '.date("Y-m-d H:i:s",strtotime("+365 days")));
header('Last-Modified: '.gmdate(DATE_RFC1123,filemtime($file)));
readfile($file);
}else{
die("no such file");
}
The webapp works "fine" but the mixed content warning really frustrates me, so I would really appreciate any pointers or ideas that might work.
The site is running on a DO VPS, Apache/Nginx with PHP-FPM 7.1.
Kind regards and happy holidays, Mark
