What is Mixed Content?

Mixed content is when an HTTPS page loads some resources (images, scripts, stylesheets) over plain HTTP. Browsers automatically block "active" mixed content (scripts, iframes) because it could be used to inject code. "Passive" mixed content (images) is usually allowed but shown with a broken-padlock warning.

In more detail

Any `http://` URL inside an `https://` page is mixed content. The fix is to update URLs to `https://` or use protocol-relative URLs (`//example.com/...`). As a safety net, add `Content-Security-Policy: upgrade-insecure-requests` which tells browsers to auto-upgrade HTTP requests to HTTPS.

Why this matters

Why builders care

Mixed content breaks the trust indicator in the address bar — users see a warning padlock even if the rest of your site is fine. For AI-built apps copying tutorial code, mixed content often sneaks in from outdated image hosts.

Fix guides

Fix Mixed Content issues

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Free tools

Check it yourself

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Related terms

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.