Home/ Glossary/ Mixed Content

Mixed Content (Mixed Content)

Security Glossary - SSL/TLS

Definition: Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets, iframes) over plain HTTP. This creates a security vulnerability because the HTTP resources can be intercepted and modified by an attacker, even though the main page was loaded securely over HTTPS.

Why You Should Care About Mixed Content

Mixed content undermines the security that HTTPS provides. If an HTTPS page loads a JavaScript file over HTTP, an attacker on the network can replace that script with malicious code. The user sees a secure lock icon, believing the page is fully protected, while actually executing attacker-controlled JavaScript.

Browsers categorize mixed content as "active" (scripts, stylesheets, iframes - which are blocked by default) and "passive" (images, audio, video - which may load with a warning). Active mixed content is more dangerous because it can modify the page, steal data, or redirect users. Passive mixed content can still leak information through the referrer header and allows content tampering.

Modern browsers block active mixed content by default, which means HTTP scripts on your HTTPS page simply will not load, breaking functionality. Passive mixed content may display a warning icon instead of the secure lock. To fix mixed content, update all resource URLs to use HTTPS or protocol-relative paths, and add the upgrade-insecure-requests CSP directive as a safety net.

Testing Your Configuration

A security audit checks for mixed content on your pages. Browser developer tools also flag mixed content in the console. Use the Content-Security-Policy header with the upgrade-insecure-requests directive to automatically upgrade HTTP resource requests to HTTPS.

See how your site handles Mixed Content

Run a Security Audit

Questions and Answers

How do I find mixed content on my site?
Open your site in Chrome, press F12 to open Developer Tools, and check the Console tab for mixed content warnings. A security audit tool can also scan all pages for mixed content issues. Look for any resource URLs starting with http:// on your HTTPS pages.
What is the upgrade-insecure-requests directive?
It is a CSP directive that tells the browser to automatically upgrade HTTP resource requests to HTTPS before fetching them. Adding Content-Security-Policy: upgrade-insecure-requests as a header is a quick fix for mixed content caused by hardcoded HTTP URLs.

Learn More

Hypertext Transfer Protocol Secure Content Security Policy upgrade-insecure-requests CSP Directive block-all-mixed-content CSP Directive SSL/TLS Certificate
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.