Play Instances issues with mixed HTTPS and HTTP content

Dear community,

While testing a new application we are currently developing we have found out that all instances send invalid response headers on url redirects.

For instance, visiting should redirect to but instead it redirects to

If you notice the redirect header is wrongly mixing the HTTPS -> HTTP redirect. This is normally not an issue because the browser visits the HTTP page and nginx produces a new HTTP -> HTTPS redirect.

However if DHIS2 is served inside an iframe, due to the enhanced security policies of iframes, the browser detects this redirect inside the document and blocks it as mixed content.

In our instances we have identified this same problem in the past and resolved it by updating the catalina connector found in the server.xml file.

        relaxedQueryChars='\ { } | [ ]'

To make sure all applications work correctly on play instances we would like to raise awareness of this issue to @dhis2-backend and @dhis2-platform to see if it can be resolved.

Also it might be helpful for others to provide a notice on the related parts of the implementer guide docs as this issue might be also affecting other organizations deploying DHIS2 instances to HTTPS.

Even though right now this only affects to DHIS2 being served over an iframe, it is likely that in future browser updates the policies regarding mixed content are tightened so fixing this problem might avoid future problems.



Dear @SferaDev,

Thanks for bringing this to our attention! Our QA/devops team will update the deployment config as well as fix our current play instances.

Best regards,

1 Like

Thanks @Karoline for taking a look into it!

1 Like