Running an SSL site? Don't want mixed content? Expurgate lets you serve non-HTTPS content over HTTPS!
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Running an SSL site? Don't want mixed content warnings? Expurgate lets you serve external, non-HTTPS content over HTTPS!

How it works

On your HTTPS pages, instead of requesting an image over HTTP — which would throw up a mixed content warning in the user's browser — you change the link server-side so that it's passed through expurgate instead. So, instead of:

<img src="">

You'd request:

<img src="">

Expurgate will then fetch and serve it over SSL — meaning that every request on your page is still encrypted, and your users see no mixed content warnings.

Use WordPress?

If you use WordPress, there’s a plugin that will convert all of your in-post images for you: wp-expurgate.

What's this checksum?

So that not just anyone can request images — which would make you, in effect, a free image hosting service — the code calling expurgate is expected to generate a checksum to authenticate its request. This is an SHA-256 HMAC value, based on a shared secret known by both the calling code and expurgate — but not by the viewer of the page.

So, to generate the checksum in the above example, the calling code would look like:

$url = '';

$key = file_get_contents('cache/key.txt');

$checksum = hash_hmac('sha256', $url, $key);

<img src="<?php echo $checksum ?>&url=<?php echo urlencode($url) ?>" />


PHP >= v5.3.0 with hash functions.