Mixed Content happens when an HTTPS page loads HTTP resources (images, scripts, iframes). Chrome blocks active (scripts/iframes) fully, passive (images) triggers a warning. Fix: replace every http:// with https:// or // (protocol-relative), or set Content-Security-Policy: upgrade-insecure-requests.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — mixed-content checker: instant results, no signup.
http://cdn.old.com → https://cdn.old.comUPDATE wp_posts SET post_content = REPLACE(post_content, "http://example.com", "https://example.com")Content-Security-Policy: upgrade-insecure-requests; — upgrades HTTP → HTTPS automatically| Scenario | Config / Record |
|---|---|
| nginx: CSP upgrade-insecure-requests | add_header Content-Security-Policy "upgrade-insecure-requests;" always; |
| Apache: .htaccess | Header set Content-Security-Policy "upgrade-insecure-requests;" |
| HTML meta fallback | <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests;"> |
| Protocol-relative URL | <img src="//cdn.example.com/logo.png"> (works on both HTTP and HTTPS) |
| WordPress plugin | Really Simple SSL — auto-replace + HSTS |
<a href="http://..."> is not mixed content, but UX suffers — replace everythingXMLHttpRequest to HTTP endpoints is blocked silently — verify manuallyTo fix mixed content warnings, ensure all resources on your site load over HTTPS. This involves updating URLs for images, scripts, and stylesheets to use HTTPS instead of HTTP. Use tools like Chrome Developer Tools to identify mixed content, and consider implementing Content Security Policy (CSP) headers to enforce secure connections.
Mixed content warnings occur when a secure HTTPS page includes resources that are loaded over an insecure HTTP connection. This can compromise the security of the website, leading to vulnerabilities such as man-in-the-middle attacks. Browsers typically block these insecure requests, which can lead to functionality issues on your site. In 2026, it is crucial to adhere to best practices in web security, especially with increasing regulations in the US and EU regarding data protection.
There are two types of mixed content: active and passive. Active mixed content includes scripts, iframes, and stylesheets that can alter the behavior of the page, while passive mixed content consists of images and videos that do not affect the page's functionality. Browsers may allow passive mixed content but will block active mixed content to protect users.
To effectively address mixed content issues, it’s essential to conduct a thorough audit of your website. Tools like Why No Padlock and SSL Checker can help identify insecure resources on your pages. Additionally, utilizing the browser's developer tools can pinpoint specific mixed content warnings.
To identify mixed content issues, you can utilize the built-in developer tools in modern browsers. For example, in Google Chrome, follow these steps:
Mixed Content: The page was loaded over HTTPS, but requested an insecure resource 'http://example.com/resource'.
This message indicates that a resource loaded over HTTP is causing a mixed content warning. You can also check the Network tab to see the protocol used for each resource.
For a practical example, consider a scenario where you have a website URL:
https://www.example.com
If you find an image being loaded from:
http://www.example.com/images/pic.jpg
you should change it to:
https://www.example.com/images/pic.jpg
To automate detection, you can use tools like wget or curl. For instance, running the following command can help you check for mixed content:
curl -I https://www.example.com
This command retrieves the headers of your site, allowing you to verify whether resources are being loaded securely.
Once mixed content has been identified, the next step is to fix it. Here are the best practices to rectify these issues:
http://www.example.com/resource, use //www.example.com/resource. This allows the browser to automatically use the same protocol as the page.Content-Security-Policy: upgrade-insecure-requests;
This directive automatically upgrades all HTTP requests to HTTPS.
Another critical aspect is ensuring that your website's configuration is correctly set up to redirect HTTP traffic to HTTPS. You can achieve this by modifying your web server configuration. For example, if you are using Apache, you can add the following lines to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This configuration redirects all HTTP requests to their HTTPS equivalents, effectively reducing the chances of mixed content warnings.
Mixed Content is loading HTTP resources (images, scripts, CSS) on an HTTPS page. Browsers block active mixed content (JS, CSS) and warn about passive (images).
Find all HTTP resources on the page: scripts, styles, images, frames.
Divide into active (critical) and passive (non-critical) mixed content.
Each HTTP resource listed with type and fix recommendation.
Results in seconds — we check the page without full browser rendering.
post-HTTPS migration audit
insecure resource detection
browser warning fixes
third-party resource audit
// scheme everywhere to adapt to protocol.Content-Security-Policy: upgrade-insecure-requests automatically upgrades HTTP to HTTPS.src="/images/logo.png" instead of src="http://example.com/images/logo.png".Mixed content check history and HTTPS security monitoring.
Sign up freeActive — scripts, iframes, stylesheets, XHR — can execute code with the HTTPS page's privileges. Chrome blocks entirely. Passive — images, audio, video — only displayed. Warning but not blocked.
Per-site in Chrome: Settings → Privacy → Site settings → Insecure content → Allowed for specific site. Dangerous in production — use only for dev.
Chrome 43+, Firefox 42+, Safari 10.1+. IE does not support it, but modern browsers cover 98% of traffic.
CMS plugin for auto-replace on save (WordPress: Really Simple SSL), Git pre-commit hook for content, CSP-report monitoring in production.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.