← All guides
Mixed Content: Why Your HTTPS Padlock Breaks
Mixed content happens when a page served over HTTPS pulls in a resource — a script, stylesheet, image or iframe — over plain HTTP. It undermines the security the padlock implies.
Active vs passive
Active mixed content (scripts, iframes, stylesheets) can rewrite the page, so browsers block it outright and functionality breaks. Passive mixed content (images, audio, video) is not blocked but downgrades the padlock and can still be swapped by a network attacker.
How to fix it
Change http:// resource URLs to https:// where the host supports it, or use protocol-relative and same-origin paths. For a large site, a Content-Security-Policy of upgrade-insecure-requests tells the browser to fetch http subresources over https automatically.