Mixed Content Checker

Mixed content occurs when an HTTPS webpage loads sub-resources (scripts, images, CSS, iframes) over HTTP. Since the page itself is served securely over HTTPS but some resources use unencrypted HTTP, a 'man-in-the-middle' attacker could intercept and modify the insecure resources, potentially injecting malicious code into what appears to be a secure page.

Blocking (active) mixed content — scripts, stylesheets, XHR requests, iframes — is blocked by modern browsers because it can directly modify the HTTPS page and steal credentials or data. Passive mixed content — images, audio, video — is displayed with a warning (the padlock turns broken/yellow) but not blocked, since it has less direct attack surface. Chrome 79+ blocks passive mixed content too.

The fastest fix is to add 'Content-Security-Policy: upgrade-insecure-requests' to your HTTP response headers. This tells browsers to automatically upgrade HTTP sub-resource requests to HTTPS. The permanent fix is to update all hardcoded http:// URLs in your HTML, CSS, and JavaScript files to https:// or protocol-relative URLs (//).

The CSP 'upgrade-insecure-requests' directive tells the browser to automatically rewrite all HTTP sub-resource URLs to HTTPS before fetching them. It's a server-side fix that doesn't require changing every URL in your code. Add it as a response header: Content-Security-Policy: upgrade-insecure-requests. Note: this doesn't fix embedded iframes that serve mixed content themselves.

This tool scans the raw HTML response — it doesn't execute JavaScript or load the page in a browser. Mixed content injected by JavaScript after page load (e.g., from ad networks or third-party widgets) won't be detected. For comprehensive scanning, use Chrome DevTools (Console and Network tabs with 'Mixed Content' filter) alongside this static analysis.