SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

Mixed Content: Why Your HTTPS Padlock Breaks

Mixed content happens when a page served over HTTPS pulls in a resource — a script, stylesheet, image or iframe — over plain HTTP. It undermines the security the padlock implies.

Active vs passive

Active mixed content (scripts, iframes, stylesheets) can rewrite the page, so browsers block it outright and functionality breaks. Passive mixed content (images, audio, video) is not blocked but downgrades the padlock and can still be swapped by a network attacker.

How to fix it

Change http:// resource URLs to https:// where the host supports it, or use protocol-relative and same-origin paths. For a large site, a Content-Security-Policy of upgrade-insecure-requests tells the browser to fetch http subresources over https automatically.

🛰 Scan for mixed content →

Related guides

  • What Is HSTS and How Do I Enable It?
  • Content-Security-Policy Explained (and How to Fix a Weak One)
  • CAA Records: Control Which CAs Can Issue Your Certificates
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.