Quan Mai
Jul 7, 2017
visibility 4234
star star star star star
(4 votes)

Commerce Manager over HTTPS with load balancer

Commerce Manager - either you like it or hate it - is still an important part of Commerce, and there are functionalities which can't be found else where, so you will have to stick with it for the time being. And as it's important enough, it's a recommended practice to secure the site with HTTP over SSL - aka HTTPS (Along with other security measures such as put it behind a firewall or limit access to trusted IP only, etc.). However, it might be a problem if you want to put it behind some load balancer. This kind of message can be seen in such scenario (via browser console):

default.aspx:1 Mixed Content: The page at 'https://commercemanager.com/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://commercemanager.com/Apps/Shell/Scripts/Shell/mainLeftTemplate.js?v=10.7.3.0'. This request has been blocked; the content must be served over HTTPS.

Due to your browser configuration, you might not access the site because it blocks the mixed content. While HTTPS is great, mixed content can open doors for attacks like Man in the middle and it's best that browsers disable that by default.

But that can be solved, easily enough, if you:

  • Upgrade your site to at least Commerce 10.6.0, to have this bug https://world.episerver.com/documentation/Release-Notes/ReleaseNote/?releaseNoteId=COM-4220 fixed
  • Configure the header X-Forwarded-Proto to "https" on your load balancer. Because most of the load balancers will redirect to non-HTTPS requests before they reach to ASP.NET (in this case, Commerce Manager), then we need a way to know that the request was on HTTPS or not, to load the assets correctly.

And now your Commerce Manager will be happily working over HTTPS, behind a load balancer.

Jul 07, 2017

Comments

Islam Hamed
Islam Hamed Jan 31, 2019 08:45 PM

Hey Quan,

We are facing this issue now with one of our clients with version 10.4.3.

I just want to confirm if the above 2 solutions have to be done together or either of them? Can we skip the upgrade and only do the load balancer one?

Thanks!

Feb 1, 2019 07:49 AM

Hi Islam, They should be in together

error Please login to comment.
Latest blogs
Bynder DAM Connector for Optimizely SaaS CMS: Improved Metadata Property Synchronization

While working with the Bynder DAM Connector for Optimizely SaaS CMS , one of the key areas I explored was how Bynder asset metadata is synchronized...

Vipin Banka | Jul 11, 2026

Optimizely DXP: Every Supported Culture, One Searchable Page

Quick one for anyone building multi-language sites on Optimizely DXP. I put together a reference tool listing all 806 supported cultures. More...

Adnan Zameer | Jul 10, 2026 |

A day in the life of an Optimizely OMVP: London Meetup 2026

On 2nd July 2026 the Optimizely London Developer Meetup returned to The Lightwell, and the running theme across the evening was less about individu...

Graham Carr | Jul 10, 2026

Optimizely’s Summer ’26 Roadmap: The CMS Is Starting to Look Less Like a Publishing Tool and More Like Marketing Infrastructure

Optimizely’s Summer ’26 Product Roadmap event was not just a list of product updates. At least, that is not the part I found most interesting. The...

Augusto Davalos | Jul 9, 2026