Apple touch icon causes mixed content warning

Is this issue fully resolved? The reason I ask is that Firefox doesn’t seem to like the remote avatar images? If you go to this forum, you will see a little padlock + orange warning triangle in the URL bar. That site is self-hosted using a docker image and may well not be properly configured! Notwithstanding, the Firefox icon means “Connection is not secure: your connection is not private and information you share with the site could be used by others: this website contains content that is not secure (such as images)”. More info here. This warning icon only appeared recently, within the last few weeks, so I suspect it is connected with the default avatar issue documented being in this thread. Thanks as always to the dev team. HTH.

The reason for that mixed content warning does not have to do anything with avatars. It is caused by the apple touch icon being configured as an http URL instead of HTTPS:


@RGJ Thanks for the tip.

So I duly create a 144×144 px icon locally (the red square with some text) and add it to Settings > Required > apple touch icon.

So far so good although I don’t have an iPhone to test its use. But the Firefox URL bar warning icon persists. So I check the external URLs using View Page Info and find that Discourse has used http and not https. As shown:

In relation to this URL:

So is the use of http in this situation a bug in Discourse? Or is this correct behavior? Thanks again to the devs and TIA also.

This is not the only custom site-specific icon that is http if you look closely at the screenshot but it will quite usefully serve as our test case. The others were loaded at the time the site was established a couple of years back so they are not so informative.

Have you enabled the force_https site setting ?


@RGJ Not yet. I will need to coordinate with the site owner first. For others visiting this thread, the dialog for that setting is shown below. Thanks for your help.

Force https rewrites http URLs to https. It’s mandatory for any site served with a certificate. If you hit any problems it can be disabled again from the console.

1 Like

@Stephen Thanks. I figured so. But I need to clear this with the “boss” first.

FWIW, you’ve already enabled https on the site. That’s why you can hit the homepage at https://. Turning on that setting simply tells Discourse that you did so and allows it to coordinate the URLs as needed.