Chrome False Positive Insecure Form Page Warning

Skip to first unread message

Greg Scott

Dec 14, 2020, 12:37:23 PM12/14/20
to, Alexander Howard


Please help, we have a weird scenario where some Chrome user on Version 87.0.4280.88 (Official Build) (32-bit) get the information not secure page as referenced in


This error just started today 12/12/20 for these users. If you look at the screen shots you can see there are no mixed content or insecure resources loaded.


The next set of screen shots are here to provide additional details of what we see in the browser when the user clicks the login  button and get the error page






I can be reached by cell phone below. Thanks for any guidance you can provide.


Greg Scott
Online Insight
404-600-5222 O
404-626-6066 M

Online Insight

Empowering health insurance e-marketplaces.



Emily Stark

Dec 14, 2020, 12:42:58 PM12/14/20
to Greg Scott,, Alexander Howard
Thanks for the report! We are currently tracking this at; please follow that bug for further updates. It looks like your form submission is redirecting through an insecure http:// URL which is why the warning is triggering. You may want to investigate your server configuration to see if there is a way to prevent that http:// redirect.

To unsubscribe from this group and stop receiving emails from it, send an email to

Greg Scott

Dec 14, 2020, 12:57:21 PM12/14/20
to Emily Stark,, Alexander Howard

Hi Emily,

Thanks for the response.

We use AWS Load Balancer in a TLS Termination(Off Loading) Configuration



From what we can tell the form is submitted over HTTPS but the response from the web server over HTTP to the Load Balancer is making it all the way to the Client’s browser(Chrome) instead of being terminated and converted to HTTPS. We submitted an issue to AWS however we believe the message presented to the consumer from Chrome is a false positive since the form does get submitted over HTTPS and it’s the response that is HTTP.


To resolve we had to move to a SSL Bridging Configuration basically making SSL Off Loading pointless


Hope this helps.



Nick Harper

Dec 14, 2020, 4:59:04 PM12/14/20
to Greg Scott, Emily Stark,, Alexander Howard
One of your screenshots shows that the request made to is returning a redirect response code with a Location header pointing to an http:// (not https) URL. That would be the insecure resource that gets loaded, and is likely the cause of the warning you're seeing.

Greg Scott

Dec 14, 2020, 5:03:35 PM12/14/20
to Nick Harper, Emily Stark,, Alexander Howard

Thanks Nick,


We agree something is happening at the Load Balancer layer that’s pushing the HTTP redirect response all the way up to the client browser, however my point is that the HTTP is in the response and not part of the submission which the Google Warning page seems to imply.

Reply all
Reply to author
0 new messages