CloudPanel version(s) affected
1.1.1
Description
This issue was flagged by our SEO agency during a technical audit. The injected tag contains links using http:// instead of https://, for example:
html
here
This introduces insecure HTTP references on a fully HTTPS site, which can negatively affect:
SEO signals (mixed content warnings, insecure internal links)
Google Search Console reports
Trust signals for crawlers and browsers
The site runs exclusively on HTTPS. There is no reason for any plugin to inject http:// links into the page output.
How to reproduce
Actual behavior
The tag referencing ?PageSpeed=noscript is injected unconditionally on every frontend page, with no setting in the plugin UI to disable it.
Steps to reproduce
Install and activate the CLP Varnish Cache plugin
Enable Varnish Cache in plugin settings
Visit any frontend page and inspect the HTML source
Observe the PageSpeed tag injected immediately after
Possible Solution
Please consider the following improvements:
Add an opt-in/opt-out toggle in the plugin settings to enable or disable the PageSpeed injection. It should be disabled by default, as most servers do not use mod_pagespeed or ngx_pagespeed.
Respect the site's protocol — if the injection is kept, the generated URLs should use the protocol defined in WordPress settings (get_site_url()), not a hardcoded http://. On HTTPS sites, all injected links must use https:// to avoid insecure references and mixed content issues.
Additional Context
No response
CloudPanel version(s) affected
1.1.1
Description
This issue was flagged by our SEO agency during a technical audit. The injected tag contains links using http:// instead of https://, for example:
html
here
This introduces insecure HTTP references on a fully HTTPS site, which can negatively affect:
SEO signals (mixed content warnings, insecure internal links)
Google Search Console reports
Trust signals for crawlers and browsers
The site runs exclusively on HTTPS. There is no reason for any plugin to inject http:// links into the page output.
How to reproduce
Actual behavior
The tag referencing ?PageSpeed=noscript is injected unconditionally on every frontend page, with no setting in the plugin UI to disable it.
Steps to reproduce
Install and activate the CLP Varnish Cache plugin
Enable Varnish Cache in plugin settings
Visit any frontend page and inspect the HTML source
Observe the PageSpeed tag injected immediately after
Possible Solution
Please consider the following improvements:
Add an opt-in/opt-out toggle in the plugin settings to enable or disable the PageSpeed injection. It should be disabled by default, as most servers do not use mod_pagespeed or ngx_pagespeed.
Respect the site's protocol — if the injection is kept, the generated URLs should use the protocol defined in WordPress settings (get_site_url()), not a hardcoded http://. On HTTPS sites, all injected links must use https:// to avoid insecure references and mixed content issues.
Additional Context
No response