Mixed Content Checker

Find insecure HTTP resources loading on your HTTPS pages. Check images, scripts, CSS, iframes, forms, and other elements for mixed content that breaks the padlock and triggers browser security warnings.

Check for Mixed Content

Enter an HTTPS URL to scan for insecure HTTP resources (images, scripts, CSS, iframes, forms, video, audio, and more).
Quick test:

About the Mixed Content Checker

This tool fetches any HTTPS webpage and performs a comprehensive scan for HTTP resources that cause mixed content warnings. It checks all resource types:

Images & Media

Scans img src, srcset, data-src (lazy-loaded), picture source elements for insecure URLs.

Scripts

Detects JavaScript files loaded over HTTP that browsers will block completely.

Stylesheets

Checks link rel="stylesheet/preload", inline style url() references for HTTP URLs.

Why Mixed Content Matters for Your Website

Mixed content is one of the most common security issues on HTTPS websites. When you migrate from HTTP to HTTPS (which Google now treats as a ranking signal), some resources are often left behind as HTTP URLs. This creates a false sense of security — your page loads over HTTPS but pulls in resources over unencrypted connections.

The impact is significant:

  • Broken pages:Active mixed content (scripts, CSS, iframes) is blocked by modern browsers, breaking page functionality silently. Users see a broken page without understanding why.
  • Lost trust:The "Not Secure" warning in Chrome's address bar erodes visitor confidence. For e-commerce and login pages, this is devastating for conversion rates.
  • Security vulnerabilities:HTTP resources can be intercepted and modified in transit (man-in-the-middle attacks). A script loaded over HTTP can be replaced with malicious code.
  • SEO impact:While mixed content isn't a direct ranking penalty, the resulting poor user experience (bounce rate, broken functionality) indirectly affects search performance.

Best Practices for Fixing Mixed Content

  1. Find all HTTP resources — Use this tool to scan every page on your site. Pay special attention to templates, headers, footers, and shared components.
  2. Change HTTP to HTTPS — For most resources, simply replacing http:// with https:// in the URL works. Test after changing.
  3. Use protocol-relative URLs — Use //example.com/file.js instead of http://example.com/file.js. The browser automatically uses the page's protocol.
  4. Implement CSP upgrade-insecure-requests — Add the HTTP header Content-Security-Policy: upgrade-insecure-requests as a safety net that automatically upgrades all HTTP requests to HTTPS.
  5. Use CSP report-uri — Set up a CSP report-uri to monitor mixed content violations in production so you catch new issues as they appear.
  6. Host resources yourself — If a third-party resource isn't available over HTTPS, download and host it on your own server with HTTPS.

Frequently Asked Questions

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, etc.) over insecure HTTP. Browsers block active mixed content (scripts, CSS) and warn about passive mixed content (images), breaking the green padlock and showing "Not Secure" warnings.
HTTP resources can be intercepted and modified by attackers through man-in-the-middle attacks. Loading scripts over HTTP on an HTTPS page is a critical security vulnerability. Browsers now block active mixed content by default, which can break your page functionality.
Change all HTTP resource URLs to HTTPS. If the resource is available over HTTPS, simply use https://. If not, host it yourself or find an HTTPS alternative. Also check for protocol-relative URLs (starting with //) which use the page's protocol. Use the Content-Security-Policy: upgrade-insecure-requests header to automatically upgrade HTTP requests to HTTPS.
Active mixed content (scripts, stylesheets, iframes, fonts, XHR/fetch) interacts with the page and is blocked by modern browsers. Passive mixed content (images, video, audio) only displays content and triggers a "Not Secure" warning but still loads. Both types should be fixed for full security.
Yes — mixed content warnings degrade user trust and increase bounce rates. Google Chrome flags HTTPS pages with mixed content as "Not Secure" in the address bar. Google may also treat mixed content as a ranking signal since it indicates poor security hygiene.
Chrome, Firefox, and Edge block all active mixed content (scripts, iframes, stylesheets) by default. Passive mixed content (images) loads but causes the padlock to show "Not Secure."Safari is stricter and may block both types. Users see security warnings that can erode trust.
The upgrade-insecure-requests CSP directive tells the browser to automatically upgrade all HTTP resource requests to HTTPS before fetching them. This is a server-side fix that requires no code changes. Add this header: Content-Security-Policy: upgrade-insecure-requests. It's a great safety net for large sites with many resources.
Protocol-relative URLs inherit the page's protocol. On HTTPS pages, they load over HTTPS and are safe. However, if the page loads over HTTP (which shouldn't happen), they'd load over HTTP. Best practice: always use full HTTPS URLs for resources to avoid ambiguity.
Our Mixed Content Checker scans any page for HTTP resources. You can also use Chrome DevTools (Console tab shows mixed content errors), the Lighthouse audit tool (Security section), or Content-Security-Policy report-uri directives to monitor mixed content in production.
Reviewed Jun 2026 · Sources and limitations

Review details: 2026-06-10 · Marc LaClear · v1.0

Reference sources:

Known limits:

  • Checks are based on publicly fetchable HTML, response headers, and browser-side input. They do not use private Google Search Console, analytics, or ranking data.
  • Scores and warnings are diagnostic aids, not guarantees of ranking improvement or Google indexation.
  • Pages blocked by robots.txt, login walls, bot protection, heavy JavaScript, or network timeouts may return incomplete results.
  • Validate critical fixes with official Google tools such as Search Console, Rich Results Test, Lighthouse, and your own crawl data.

Report an issue with this tool