Cesium website downgrades to http and raw IP address

Firstly - apologies if this is posted in the wrong place.

1. A concise explanation of the problem you’re experiencing.

The Cesium website Convert Model page forwards from https://cesiumjs.org/convertmodel.html ->

Notice both the https -> http downgrade, and the usage of a raw IP address.

Relevant info in the response:

Status Code: 302 Found


A side effect of this is that since it downgrades from https to http, the certificate chain no longer exists, so the user cannot verify that the page is being hosted by cesium, or is not otherwise hijacked.

2. A minimal code example. If you’ve found a bug, this helps us reproduce and repair it.

Navigate to https://cesiumjs.org/convertmodel.html (the first result that pops up on google when searching “gltf converter”). Notice that you get forwarded to

This issue may exist for other pages, but this has not been investigated.

3. Context. Why do you need to do this? We might know a better way to accomplish your goal.

I want to upload files to the converter without them being viewed in plaintext by a third-party observer.

I want to know that the page I’m viewing has not been hijacked.

Implementing HTTP Strict Transport Security headers on the server would be nice, to ensure that an http downgrade will be rejected by the browser.

Hi Tristan,

Thanks for pointing this out, this is indeed the correct place.

The model converter has not yet been migrated from a legacy host, it’s in the process of being merged. We’ll bump this post when it has been properly migrated.



Good to know, thanks for the explanation!