VAST-4.1-exec-resource-https
VAST-4.1-exec-resource-https
OMID <ExecutableResource> reference should use HTTPS when it is a URL
WarningSecurityIAB VAST 4.1 §2.3VAST 4.1, 4.2, and 4.3
Short answer
When the <ExecutableResource> reference is a URL, serve it over HTTPS. Plain HTTP is blocked by mixed-content policies on secure inventory and breaks verification.
Why this matters in production
This rule is a strong risk signal. Tags with this issue often still parse, but they become brittle across SDKs, SSAI resolvers, and CTV environments. Security rules show up most often on mobile, CTV, and browser runtimes that enforce HTTPS, mixed-content blocking, or stricter asset loading than desktop test environments. Affected scope: VAST 4.1, 4.2, and 4.3.
Check your VAST tag for
VAST-4.1-exec-resource-https and other issues instantly.Open the VAST tag validator →Other Security rules
VAST-2.0-mediafile-https<MediaFile> URL uses HTTP instead of HTTPSVAST-2.0-tracking-httpsTracking or click URL uses HTTP instead of HTTPSVAST-2.0-url-emptyURL field is emptyVAST-2.0-url-invalidURL field does not appear to be a valid URIVAST-4.1-js-resource-httpsOMID <JavaScriptResource> URL should use HTTPS