Mixed content errors occur when an HTTPS page loads resources via insecure HTTP, compromising the security of the entire page.
These errors are among the most common and frustrating HTTPS issues, often appearing after migrating to HTTPS or when integrating third-party content.
This guide covers:
- What mixed content is
- Why it's a problem
- How to identify it
- How to fix it permanently
What is Mixed Content
Mixed content occurs when a page loaded over HTTPS (secure) includes resources loaded over HTTP (insecure).
This creates a security risk because an attacker can modify the unencrypted HTTP content even though the main page is secure.
The Two Types of Mixed Content
Active mixed content (blocked by browsers):
- JavaScript files
- CSS stylesheets
- Iframes
- AJAX/Fetch requests
Passive mixed content (with warning):
- Images
- Videos
- Audio files
- Fonts
Passive content is less critical because it cannot execute code, but it still exposes information about browsing behavior.
Why Mixed Content is a Problem
Mixed content causes several significant problems:
1. Security Compromise
The whole point of HTTPS is to protect all page content. HTTP elements create holes in that protection.
An attacker on the network can:
- Modify HTTP content
- Inject malicious code
- Steal sensitive data
- Redirect users
2. Browser Blocking
Modern browsers block active mixed content by default:
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS,
but requested an insecure script 'http://cdn.example.com/script.js'.
This request has been blocked; the content must be served over HTTPS.
3. SEO Impact
Google considers HTTPS security in its rankings. Mixed content compromises this signal and can affect your positioning.
4. Loss of Trust
Security-aware users will recognize the warnings (missing green padlock) and lose trust in your site.
How to Identify Mixed Content
Via Browser Console
Open developer tools (F12) and check the console:
// Example console warning
Mixed Content: The page at 'https://yoursite.com/' was loaded over HTTPS,
but requested an insecure image 'http://cdn.external.com/image.jpg'.
Via Network Tab
- Open DevTools (F12)
- Go to the Network tab
- Filter by scheme:http to see insecure requests
Online Tools
Several tools can scan your site:
For Large Sites
Use crawling tools like Screaming Frog to identify issues across many pages.
Best Practices for Fixing
1. Update Your Own Resources
For content you control, update the references:
<!-- ❌ Before -->
<script src="http://yoursite.com/script.js"></script>
<img src="http://yoursite.com/image.png">
<!-- ✅ After - Relative URLs -->
<script src="/script.js"></script>
<img src="/images/image.png">
<!-- ✅ After - Protocol-relative URLs -->
<script src="//yoursite.com/script.js"></script>
2. Update Third-Party Content
Check if your third-party providers support HTTPS:
<!-- ❌ Before -->
<script src="http://cdn.external.com/library.js"></script>
<!-- ✅ After -->
<script src="https://cdn.external.com/library.js"></script>
3. Implement Content-Security-Policy
Add this directive to automatically upgrade HTTP requests:
# In your server configuration
Content-Security-Policy: upgrade-insecure-requests;
Or in HTML:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
4. Proxy for User Content
For user-submitted images (forums, comments), implement a proxy:
// Conceptual example of an image proxy
const secureImageUrl = `https://yoursite.com/proxy?url=${encodeURIComponent(userImageUrl)}`
Correction Checklist
- Audit all pages with DevTools
- Update internal URLs to HTTPS or relative
- Check third-party integrations (analytics, widgets, CDN)
- Add the
upgrade-insecure-requestsheader - Test after each change
- Configure CSP alerts for the future
Conclusion
Mixed content errors compromise HTTPS security and create a poor user experience.
By understanding the types of mixed content and systematically identifying sources, you can resolve these errors and deliver a fully secure experience.
Key steps:
- Use HTTPS for all resources
- Update third-party references
- Implement Content Security Policy
- Regularly monitor for new errors
