What is mixed content?

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP, triggering browser warnings or blocking.

How do I find mixed content on my site?

Open your browser's developer console and look for mixed content warnings. SiteCurl's security checks also flag mixed content resources across all scanned pages.

How do I fix mixed content?

Change all resource URLs from http:// to https://. If the external resource does not support HTTPS, host a copy on your own server or find an alternative.

← Blog

How to Fix Mixed Content Warnings on HTTPS Sites

security Feb 11, 2026 3 min read

What the mixed content check tests

SiteCurl scans your page’s HTML for any resource (images, scripts, stylesheets, iframes) loaded over HTTP on a page served over HTTPS. These are “mixed content” and trigger browser warnings or outright blocks.

Browsers categorize mixed content into two types. Active mixed content (scripts, iframes) is blocked by default because it can be tampered with in transit. Passive mixed content (images, audio, video) triggers a warning but may still load.

Why it matters

You invested in HTTPS to protect your visitors. But if your page loads a script over HTTP, an attacker on the network can modify that script before it reaches the browser. The HTTPS connection on the page itself does not protect against this because the compromised resource came through an unencrypted channel.

Even passive mixed content degrades trust. Chrome hides the padlock icon and may show security warnings. Visitors see these warnings and question whether your site is safe.

How to fix it

Find the HTTP resources

SiteCurl lists every mixed content URL in your report. You can also find them manually: open Chrome DevTools, go to the Console tab, and look for “Mixed Content” warnings.

Replace HTTP with HTTPS

For most resources, the fix is simple: change http:// to https:// in the URL.

Before:

<img src="http://example.com/photo.jpg">
<script src="http://cdn.example.com/library.js"></script>

After:

<img src="https://example.com/photo.jpg">
<script src="https://cdn.example.com/library.js"></script>

Use protocol-relative URLs (or better, just HTTPS)

Protocol-relative URLs (//example.com/file.js) match the page’s protocol. But the modern best practice is to always use https:// explicitly.

Fix CMS content

If mixed content comes from blog posts, pages, or other CMS-managed content, do a search-and-replace in your database to change http://yourdomain.com to https://yourdomain.com. WordPress plugins like “Really Simple SSL” can handle this automatically.

Fix third-party embeds

If a third-party widget or embed uses HTTP, check whether the provider supports HTTPS. Most do. Update the embed code to use HTTPS. If the provider does not support HTTPS, consider replacing them.

How to verify the fix

Reload your page in Chrome and check the Console for any remaining “Mixed Content” warnings. The padlock icon in the address bar should appear without warnings. Run a SiteCurl scan for a full check across all pages.

Mixed content often appears alongside HTTPS/HSTS issues and Content Security Policy gaps.

Start a free trial to scan for mixed content across your site.