Mixed content happens when a secure HTTPS page loads resources (images, scripts, styles) over insecure HTTP. Browsers either block them or downgrade your padlock, because insecure resources undermine the page's security.
A page served over HTTPS should load every resource over HTTPS too. Mixed content weakens the security guarantee and triggers browser warnings or outright blocking, especially for scripts and stylesheets.
Check your website
See how your site handles mixed content: when https pages load insecure resources — free, no account needed.
For business owners
You installed a certificate and expected a padlock — but visitors still see warnings. Mixed content is usually the culprit: an old image URL or third-party widget still using http://. It makes a secure site look insecure and can break functionality when browsers block the offending resource. Cleaning it up restores the padlock and the trust it signals.
How it works (technical)
Browsers classify mixed content into two tiers:
- Active mixed content (scripts, iframes, stylesheets, XHR/fetch) is blocked by default because it can alter the whole page.
- Passive mixed content (images, audio, video) may load but downgrades the security indicator.
The fix is to load everything over HTTPS. The upgrade-insecure-requests Content-Security-Policy directive tells the browser to automatically rewrite http:// resource requests to https://.
Real-world example
A blog migrated to HTTPS but years of posts contained http:// image links. Images still showed, but the padlock became a warning triangle. Adding Content-Security-Policy: upgrade-insecure-requests and running a database find-replace on old URLs restored the clean padlock.
Why it matters
Mixed content defeats much of the point of HTTPS and is a common reason a "secure" site still shows warnings. Scanners flag it, and blocked scripts can break menus, forms and checkout.
How to fix it
Find insecure resources using your browser's developer console (it logs mixed-content warnings).
Update hard-coded
http://URLs in templates, content and the database tohttps://.Add
upgrade-insecure-requeststo your Content-Security-Policy as a safety net.Replace or remove third-party widgets that only support HTTP.
Re-scan to confirm no active or passive mixed content remains.
Best practices
Use protocol-relative or absolute HTTPS URLs for all assets.
Add
upgrade-insecure-requeststo catch stragglers automatically.Audit third-party embeds for HTTPS support before adding them.
Common mistakes
Assuming the certificate alone guarantees a padlock.
Leaving legacy content with http:// image and script links.
Embedding third-party scripts over HTTP.
Frequently asked questions
Why do images still load but scripts do not?
Browsers block active mixed content (scripts, styles, iframes) because it is dangerous, but allow passive content (images) with a downgraded indicator.
What is the fastest fix?
Add the upgrade-insecure-requests CSP directive, then clean up hard-coded http:// URLs so the fix is permanent.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free