🔒 Mixed Content Checker

Find insecure HTTP resources loading on your HTTPS pages. Fix mixed content to restore the green padlock and avoid browser security warnings.

Check for Mixed Content

Enter an HTTPS URL to scan for insecure HTTP resources (images, scripts, CSS, iframes, forms).

About the Mixed Content Checker

Mixed content breaks your HTTPS security and triggers browser warnings that scare away visitors. Google Chrome now blocks all active mixed content by default and shows "Not Secure" warnings for passive mixed content on HTTPS pages.

Active vs Passive Mixed Content

  • Active (blocked) — Scripts, stylesheets, iframes, fonts, XHR/fetch requests. Browsers refuse to load these over HTTP on HTTPS pages.
  • Passive (warned) — Images, video, audio. These load but trigger a "Not Secure" padlock warning.

How to Fix

  1. Change all http:// URLs to https://
  2. Use protocol-relative URLs (//example.com/) to auto-match the page's protocol
  3. Set a Content-Security-Policy header to upgrade HTTP to HTTPS automatically

Frequently Asked Questions

What is mixed content?
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, etc.) over insecure HTTP. Browsers block active mixed content (scripts, CSS) and warn about passive mixed content (images), breaking the green padlock.
Why is mixed content dangerous?
HTTP resources can be intercepted and modified by attackers. Loading scripts over HTTP on an HTTPS page is a security vulnerability. Browsers now block active mixed content by default.
How do I fix mixed content?
Change all HTTP resource URLs to HTTPS. If the resource is available over HTTPS, simply use https://. If not, host it yourself or find an HTTPS alternative. Also check for protocol-relative URLs (starting with //) which use the page's protocol.