Mixed Content Checker — HTTP Resources on HTTPS Pages

Active mixed content includes scripts, stylesheets, iframes, and XMLHttpRequest targets loaded over HTTP on HTTPS pages. Modern browsers block these entirely, breaking site functionality silently or with console errors.

Passive mixed content covers images, audio, and video. Browsers may still load them but remove the secure padlock or show 'Not fully secure' indicators. Both types should be eliminated for a clean security UX.

Our scanner inspects static HTML returned by the initial fetch. It finds explicit http:// in src and href attributes — the most common CMS and template mistakes. Dynamically injected URLs via JavaScript after load may not appear unless present in the initial HTML.

For single-page applications, test key routes and view page source or prerendered HTML snapshots where search engines see content.

Legacy blog posts embedding http:// images from migrated domains. Third-party ad tags hardcoded to HTTP. Default schema URLs in JSON-LD or Open Graph tags. Email template fragments accidentally pasted into web pages.

Content security policy upgrade-insecure-requests can mitigate some cases at browser level — fixing URLs at source is still preferred.

Ensure static asset domains support HTTPS and return valid certificates. Use protocol-relative URLs only when both schemes work — explicit https:// is clearer.

After enabling CDN SSL, purge caches so HTML references update. Old HTML cached at edge may still point to http:// asset paths.

Mixed content undermines HTTPS investment. HSTS does not rewrite http:// subresource URLs inside HTML — each reference must be updated. TLS grade A with mixed content still shows browser warnings.

Run mixed content scans after TLS migration projects before announcing completion.

Resources loaded exclusively via JavaScript after DOM ready may be missed. External stylesheets with http:// @import inside CSS are not parsed in this pass. Background images set only in CSS files linked relatively may require separate CSS inspection.

Use browser devtools Security panel for interactive debugging of dynamic mixed content.

Browsers label mixed pages as not fully secure. Security-conscious users abandon checkout flows when padlocks disappear. Search engines prefer consistent HTTPS experiences.

Document zero mixed content as part of launch checklists alongside header and TLS verification.

Fix scripts and stylesheets first — they are blocked outright. Then images and media. Finally audit href links to http:// — less critical for same-tab navigation but still worth updating.

Automate rescan in CI by calling the extended API on staging URLs before promote.

Homepage cleanliness does not guarantee article or checkout templates are clean. Scan representative URLs from each template type.

Parameterized pages may embed user content with http:// links — sanitize on input and scan output.

After CMS imports, theme changes, ad network updates, and third-party script additions. Quarterly hygiene on high-traffic properties.

Pair with security headers checker to deploy Content-Security-Policy that blocks http: sources explicitly.