Skip to content

How to Fix the Mixed Content Error

Key idea:

Mixed Content happens when an HTTPS page loads HTTP resources (images, scripts, iframes). Chrome blocks active (scripts/iframes) fully, passive (images) triggers a warning. Fix: replace every http:// with https:// or // (protocol-relative), or set Content-Security-Policy: upgrade-insecure-requests.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your site →

Step-by-Step Setup

  1. Open DevTools → Console → find "Mixed Content: The page was loaded over HTTPS" errors
  2. Scan the site with Enterno Mixed Content Scanner for the full list
  3. Replace HTTP URLs in HTML: http://cdn.old.com → https://cdn.old.com
  4. WordPress: SQL UPDATE wp_posts SET post_content = REPLACE(post_content, "http://example.com", "https://example.com")
  5. Bitrix: admin → Settings → Sites → change server_name and run "Convert links"
  6. Add header: Content-Security-Policy: upgrade-insecure-requests; — upgrades HTTP → HTTPS automatically
  7. Re-scan — should be 0 violations

Working Examples

ScenarioConfig / Record
nginx: CSP upgrade-insecure-requestsadd_header Content-Security-Policy "upgrade-insecure-requests;" always;
Apache: .htaccessHeader set Content-Security-Policy "upgrade-insecure-requests;"
HTML meta fallback<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests;">
Protocol-relative URL<img src="//cdn.example.com/logo.png"> (works on both HTTP and HTTPS)
WordPress pluginReally Simple SSL — auto-replace + HSTS

Common Pitfalls

  • CSP upgrade-insecure-requests fails if the CDN itself does not serve HTTPS — resource 404s
  • <a href="http://..."> is not mixed content, but UX suffers — replace everything
  • JavaScript XMLHttpRequest to HTTP endpoints is blocked silently — verify manually
  • iframe with an HTTP source is active mixed content, blocked entirely by Chrome
  • WebSocket ws:// on an HTTPS page is also blocked — use wss://

TL;DR: Fixing Mixed Content Warnings

To fix mixed content warnings, ensure all resources on your site load over HTTPS. This involves updating URLs for images, scripts, and stylesheets to use HTTPS instead of HTTP. Use tools like Chrome Developer Tools to identify mixed content, and consider implementing Content Security Policy (CSP) headers to enforce secure connections.

Understanding Mixed Content Warnings

Mixed content warnings occur when a secure HTTPS page includes resources that are loaded over an insecure HTTP connection. This can compromise the security of the website, leading to vulnerabilities such as man-in-the-middle attacks. Browsers typically block these insecure requests, which can lead to functionality issues on your site. In 2026, it is crucial to adhere to best practices in web security, especially with increasing regulations in the US and EU regarding data protection.

There are two types of mixed content: active and passive. Active mixed content includes scripts, iframes, and stylesheets that can alter the behavior of the page, while passive mixed content consists of images and videos that do not affect the page's functionality. Browsers may allow passive mixed content but will block active mixed content to protect users.

To effectively address mixed content issues, it’s essential to conduct a thorough audit of your website. Tools like Why No Padlock and SSL Checker can help identify insecure resources on your pages. Additionally, utilizing the browser's developer tools can pinpoint specific mixed content warnings.

Identifying Mixed Content Issues

To identify mixed content issues, you can utilize the built-in developer tools in modern browsers. For example, in Google Chrome, follow these steps:

  1. Right-click on the page and select Inspect.
  2. Go to the Console tab.
  3. Look for warnings related to mixed content. They typically appear as:
Mixed Content: The page was loaded over HTTPS, but requested an insecure resource 'http://example.com/resource'.

This message indicates that a resource loaded over HTTP is causing a mixed content warning. You can also check the Network tab to see the protocol used for each resource.

For a practical example, consider a scenario where you have a website URL:

https://www.example.com

If you find an image being loaded from:

http://www.example.com/images/pic.jpg

you should change it to:

https://www.example.com/images/pic.jpg

To automate detection, you can use tools like wget or curl. For instance, running the following command can help you check for mixed content:

curl -I https://www.example.com

This command retrieves the headers of your site, allowing you to verify whether resources are being loaded securely.

Fixing Mixed Content Warnings

Once mixed content has been identified, the next step is to fix it. Here are the best practices to rectify these issues:

  • Update URLs: Ensure that all resource URLs (images, scripts, stylesheets) are updated to HTTPS. This includes checking for hardcoded URLs in your HTML, CSS, and JavaScript files.
  • Use Relative URLs: Instead of specifying the protocol, you can use protocol-relative URLs. For example, instead of http://www.example.com/resource, use //www.example.com/resource. This allows the browser to automatically use the same protocol as the page.
  • Implement Content Security Policy (CSP): CSP can help mitigate mixed content issues by specifying which sources are allowed to load resources. An example of a CSP header that enforces HTTPS is:
Content-Security-Policy: upgrade-insecure-requests;

This directive automatically upgrades all HTTP requests to HTTPS.

Another critical aspect is ensuring that your website's configuration is correctly set up to redirect HTTP traffic to HTTPS. You can achieve this by modifying your web server configuration. For example, if you are using Apache, you can add the following lines to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This configuration redirects all HTTP requests to their HTTPS equivalents, effectively reducing the chances of mixed content warnings.

HTTP on HTTPS SiteResources over insecure protocol
Active ContentJS/CSS blocked by the browser
Passive ContentImages with security warning
Page ResourcesAll external resources checked

Why teams trust us

HTTP
mixed content detection
HTTPS
security check
CSS/JS
all resource types
Free
no limits

How it works

1

Enter page URL

2

Scan all resources

3

Find HTTP resources on HTTPS

What is Mixed Content?

Mixed Content is loading HTTP resources (images, scripts, CSS) on an HTTPS page. Browsers block active mixed content (JS, CSS) and warn about passive (images).

Resource Scanning

Find all HTTP resources on the page: scripts, styles, images, frames.

Threat Classification

Divide into active (critical) and passive (non-critical) mixed content.

Problem URL List

Each HTTP resource listed with type and fix recommendation.

Fast Check

Results in seconds — we check the page without full browser rendering.

Who uses this

Security

post-HTTPS migration audit

Developers

insecure resource detection

SEO

browser warning fixes

Sysadmins

third-party resource audit

Common Mistakes

Ignoring passive mixed contentHTTP images aren't blocked, but the browser shows a warning in the address bar.
Not checking after adding JSThird-party scripts may load HTTP resources. Check after connecting them.
Using absolute HTTP URLsUse relative URLs or // scheme everywhere to adapt to protocol.
Not configuring CSPContent-Security-Policy: upgrade-insecure-requests automatically upgrades HTTP to HTTPS.

Best Practices

Use <code>upgrade-insecure-requests</code>CSP directive automatically upgrades all HTTP resources to HTTPS.
Check on deployInclude mixed content check in your CI/CD pipeline.
Use relative URLssrc="/images/logo.png" instead of src="http://example.com/images/logo.png".
Monitor third-party widgetsSocial media widgets and ad systems are a frequent source of mixed content.

Get more with a free account

Mixed content check history and HTTPS security monitoring.

Sign up free

Learn more

Frequently Asked Questions

Difference between active and passive mixed content?

Active — scripts, iframes, stylesheets, XHR — can execute code with the HTTPS page's privileges. Chrome blocks entirely. Passive — images, audio, video — only displayed. Warning but not blocked.

Can I disable the block?

Per-site in Chrome: Settings → Privacy → Site settings → Insecure content → Allowed for specific site. Dangerous in production — use only for dev.

Does upgrade-insecure-requests work everywhere?

Chrome 43+, Firefox 42+, Safari 10.1+. IE does not support it, but modern browsers cover 98% of traffic.

How do I prevent mixed content in new articles?

CMS plugin for auto-replace on save (WordPress: Really Simple SSL), Git pre-commit hook for content, CSP-report monitoring in production.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.