Mixed Content Checker

Free Mixed Content Checker - Detect Insecure HTTP Resources on HTTPS Pages

Our free Mixed Content Checker scans HTTPS pages to detect insecure HTTP resources that break browser security. Find mixed content issues in images, scripts, stylesheets, iframes, videos, forms, and background images. Get instant results showing critical and warning-level issues, complete with URLs and severity ratings. Essential for SSL audits, HTTPS migrations, security compliance, and maintaining the secure padlock icon in browsers. Includes fix recommendations and automatic categorization of all HTTP resources.

What is Mixed Content?

Mixed content occurs when an HTTPS (secure) web page loads resources like images, scripts, stylesheets, or iframes over insecure HTTP connections. This creates security vulnerabilities because HTTP resources can be intercepted, modified, or replaced by attackers through man-in-the-middle attacks. Modern browsers display warnings or block mixed content entirely to protect users. Our Mixed Content Checker automatically scans your HTTPS pages to identify all HTTP resources that compromise your site's security. The tool detects 9 types of resources including images, scripts, stylesheets, iframes, videos, audio, forms, background images, and link resources. Results are categorized by severity: critical issues (scripts, iframes, forms that browsers block or show major warnings for) and warning issues (images, videos, stylesheets that show padlock warnings). Mixed content is particularly important for site owners who recently migrated from HTTP to HTTPS, developers auditing SSL implementations, security engineers conducting vulnerability assessments, SEO professionals ensuring proper HTTPS configuration, and anyone seeing 'Not Secure' warnings despite having an SSL certificate. The checker provides actionable fix recommendations including URL updates, protocol-relative URLs, and Content Security Policy headers for automatic upgrade of insecure requests.

Why Mixed Content Matters

Mixed content defeats the entire purpose of HTTPS encryption and creates multiple serious problems for your website.

• Browser Warnings: Modern browsers show 'Not Secure' warnings, broken padlock icons, or site shield icons with warnings when mixed content is detected, immediately signaling security issues to visitors and reducing trust
• Security Vulnerabilities: HTTP resources can be intercepted and modified by attackers through man-in-the-middle attacks, potentially injecting malicious code, stealing data, or redirecting users to phishing sites
• Blocked Resources: Modern browsers actively block critical mixed content like scripts and iframes by default, which can break your website's functionality, cause images or videos to not load, and create blank sections on pages
• SEO Impact: Google considers HTTPS as a ranking signal and may rank sites with mixed content issues lower than fully secure sites, plus search results may show 'Not Secure' labels that reduce click-through rates
• Broken HTTPS: Mixed content breaks the chain of trust established by your SSL certificate, making the entire HTTPS connection insecure and vulnerable to the same attacks HTTP faces
• User Trust Loss: Visitors see security warnings, broken padlock icons, or content that won't load, causing them to question your site's legitimacy and potentially abandon their visit or transaction
• Compliance Issues: Many security standards (PCI-DSS, HIPAA) and compliance frameworks require fully secure HTTPS connections with no mixed content for handling sensitive data like payments or personal information
• Failed Migrations: After migrating from HTTP to HTTPS, remaining mixed content indicates incomplete migration and prevents you from getting the full security and SEO benefits of HTTPS

How to Use the Mixed Content Checker

Scanning your HTTPS page for mixed content is instant and provides detailed categorized results.

• Enter your HTTPS URL in the input field - must be https:// not http://, tool validates that page uses HTTPS protocol, supports any public HTTPS website
• Click 'Scan for Mixed Content' button - tool fetches your page HTML, parses all resource references (src, href, url() attributes), identifies HTTP resources on HTTPS page
• View your security status - shows secure (✅ green) if no issues found, critical (🚨 red) if scripts/iframes/forms use HTTP, warning (⚠️ orange) if images/videos use HTTP
• Check statistics dashboard - displays total number of mixed content issues found, count of critical issues that browsers block, count of warning issues that show padlock warnings
• Review categorized issues - resources grouped by type (images, scripts, stylesheets, iframes, videos, audio, forms, backgrounds), each showing count and severity level, complete URLs listed for each resource
• Understand severity levels - critical severity (red badge) for scripts, iframes, forms that browsers actively block or show major errors, warning severity (orange badge) for images, videos, stylesheets that show padlock icon warnings
• Read fix recommendations - Method 1: change http:// to https:// in your HTML, Method 2: use protocol-relative URLs (//example.com/image.jpg), Method 3: add Content-Security-Policy: upgrade-insecure-requests header
• Copy or download report - click 'Copy All URLs' to get full list for development team, click 'Download Report' to save text file with all findings and fix recommendations

Types of Mixed Content We Detect

Our scanner comprehensively detects 9 different types of HTTP resources that can cause mixed content issues.

• Images (🖼️ Warning): <img src='http://...'> tags loading pictures over HTTP, causes broken padlock icon in browser, user sees warning but image still loads, fix by changing to https:// or using CDN with HTTPS support
• Scripts (📜 Critical): <script src='http://...'> loading JavaScript files over HTTP, modern browsers BLOCK these completely causing site functionality to break, extremely dangerous as attackers could inject malicious code, must fix immediately
• Stylesheets (🎨 Warning): <link rel='stylesheet' href='http://...'> loading CSS over HTTP, may be blocked in some browsers or show warnings, can cause layout/styling issues if blocked, attackers could inject malicious CSS
• Iframes (🖼️ Critical): <iframe src='http://...'> embedding external content over HTTP, browsers BLOCK or show major warnings, breaks embedded widgets, videos, maps, or third-party content, security risk for clickjacking attacks
• Videos (🎬 Warning): <video src='http://...'> or <source src='http://...'> tags, shows padlock warnings but usually loads, affects embedded video players and streaming content, easy fix by updating video URLs to HTTPS
• Audio (🔊 Warning): <audio src='http://...'> tags loading sound files, similar to videos with padlock warnings, less common but still needs fixing, most audio CDNs support HTTPS
• Form Actions (📝 Critical): <form action='http://...'> submitting to HTTP endpoints, extremely critical security issue - form data sent unencrypted, sensitive info (passwords, credit cards, personal data) exposed to interception, must change to HTTPS immediately
• Background Images (🎨 Warning): CSS url(http://...) in inline styles or style tags, detected in style attributes and <style> blocks, shows padlock warnings, fix in CSS files or inline styles
• Link Resources (🔗 Warning): <link href='http://...'> for various resource types, includes preload, preconnect, dns-prefetch hints, less critical but should still use HTTPS, good practice for consistency

How to Fix Mixed Content Issues

Mixed content can be fixed using several methods depending on your site's setup and hosting environment.

• Update URLs to HTTPS (Recommended): Edit HTML/CSS files to change http:// to https:// for all resources, search codebase for 'http://' string and replace with 'https://', verify external resources (CDNs, third-party scripts) support HTTPS, test thoroughly to ensure all resources load correctly, most reliable long-term solution
• Use Protocol-Relative URLs: Change 'http://example.com/image.jpg' to '//example.com/image.jpg', browser automatically uses same protocol as page (HTTPS), works well for resources available on both HTTP and HTTPS, downside: doesn't work when testing locally (file://) and less explicit than full HTTPS URLs
• Content Security Policy Header (Best for Migrations): Add HTTP header: Content-Security-Policy: upgrade-insecure-requests, automatically upgrades all HTTP requests to HTTPS without code changes, perfect for large sites or during migrations, requires all resources actually available via HTTPS, add in server config (.htaccess for Apache, nginx.conf for Nginx) or via meta tag: <meta http-equiv='Content-Security-Policy' content='upgrade-insecure-requests'>
• Find and Replace in Database: For WordPress, Drupal, or database-driven sites, run SQL query to update content: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://', 'https://'), backup database first before making bulk changes, use plugin like Better Search Replace for WordPress
• Update CMS Settings: In WordPress: Settings → General, change both WordPress Address and Site Address to HTTPS, force HTTPS in wp-config.php: define('FORCE_SSL_ADMIN', true), clear cache after making changes
• Fix Third-Party Resources: Replace HTTP CDN links with HTTPS versions (most CDNs support both), for Google Fonts, jQuery CDN, Bootstrap CDN - all support HTTPS, if vendor doesn't offer HTTPS, consider hosting file yourself or finding alternative
• Check After Fixes: Run our Mixed Content Checker again to verify all issues resolved, test site thoroughly - check all pages, forms, checkout process, use browser console (F12) to catch any remaining warnings, monitor for regressions after updates

Pro Tip

After migrating to HTTPS, use browser DevTools to catch mixed content during development. Open Chrome DevTools (F12), go to Console tab, and look for yellow warnings about mixed content - Chrome will list every HTTP resource that caused an issue with exact URLs and line numbers. Enable 'Preserve log' in console settings so warnings don't disappear on page navigation. For comprehensive site-wide auditing, use our Mixed Content Checker on your main pages (homepage, checkout, key landing pages) to systematically identify all issues. The Content-Security-Policy: upgrade-insecure-requests header is your best friend during HTTPS migration - add it early and it automatically fixes most mixed content issues without code changes, but verify resources actually work via HTTPS first. For large sites, prioritize fixing critical mixed content (scripts, iframes, forms) over warnings (images, videos) since browsers block critical content first. Don't forget to check embedded third-party content like social media widgets, payment processors, chat tools, and advertising networks - these are common sources of mixed content. When replacing HTTP URLs with HTTPS, verify the HTTPS version actually works (try loading in browser) - some old resources may not have HTTPS versions available. For WordPress sites, Really Simple SSL plugin can help automate mixed content fixes, but manual verification is still recommended. Remember that mixed content affects your site's security posture and user trust even more than technical SEO - a single HTTP script can compromise your entire HTTPS implementation. Test thoroughly on staging before deploying mixed content fixes to production, as incorrect HTTPS URLs can break functionality. Use relative URLs (/images/photo.jpg) instead of absolute URLs (https://example.com/images/photo.jpg) for internal resources to avoid protocol issues entirely. Document which external resources require HTTP and why if you must use them temporarily, then plan migration path to HTTPS alternatives. Run security headers checker along with mixed content checker for comprehensive HTTPS security audit.

FAQ

Related tools

Pro tip: pair this tool with Email Privacy Checker and Form Security Attribute Checker for a faster SEO workflow.

• Email Privacy Checker — Find exposed email addresses in HTML.
• Form Security Attribute Checker — Analyze HTML forms for CSRF-related security attributes and risks.
• Cookie Security Checker — Analyze cookies for Secure, HttpOnly, and SameSite flags. GDPR compliance checker.
• Robots.txt Security Analyzer — Analyze robots.txt to detect exposed admin, login, and sensitive paths.
• Blacklist Lookup — Check if domain is blacklisted.