Free Tool

Free Mixed Content Checker

Check whether an HTTPS page loads any insecure HTTP resources. We list every mixed content URL we find so you can fix them.

Free and instant. No account or signup needed.

What mixed content is

Mixed content happens when a page served over HTTPS pulls in one or more resources over plain HTTP. The page itself is encrypted, but a script, stylesheet, image, font, or iframe arrives on an unencrypted connection. That single weak link undoes much of the protection HTTPS is meant to give you, because anyone sitting on the network between the visitor and the server can read or rewrite whatever travels over HTTP.

Active and passive mixed content

Browsers split mixed content into two groups. Active content is anything that can change how the page behaves, such as scripts, stylesheets, and iframes. Browsers block active mixed content completely, so a script loaded over HTTP simply never runs and the page can break. Passive content is media that only displays, like images and audio. Browsers usually still load passive content but mark the page as not fully secure and remove the clean lock icon, which erodes trust.

Why browsers block it

The whole point of HTTPS is an encrypted, tamper proof channel. When a page mixes in HTTP resources, an attacker on the same network can swap a real script for a malicious one or quietly read what loads. Rather than let that slip through, browsers refuse the dangerous parts and warn about the rest, which is why a single HTTP resource can stop a feature from working.

How to fix mixed content

Start by switching every resource URL from http to https, since most services already serve the same asset securely. Replace hardcoded HTTP links in templates, theme files, and stored content, which is a common source on older sites. For anything you cannot edit directly, add the upgrade-insecure-requests directive to your Content Security Policy so the browser rewrites remaining HTTP requests to HTTPS for you. For a deeper walkthrough with examples, read the mixed content guide.

Frequently asked questions

What is a mixed content checker?

A mixed content checker loads an HTTPS page and looks for resources that still come over plain HTTP, such as scripts, stylesheets, images, or fonts. SiteSecurityScore scans the URL you enter live and lists every insecure resource it finds so you can fix them.

What is the difference between active and passive mixed content?

Active mixed content is code that can change the page, like scripts, stylesheets, and iframes loaded over HTTP. Browsers block it outright because an attacker on the network could swap it. Passive mixed content is media like images and audio loaded over HTTP. Browsers usually still load it but flag the page as not fully secure.

Why do browsers block mixed content?

An HTTPS page promises an encrypted, tamper proof connection. Any resource fetched over HTTP breaks that promise because someone on the network can read or rewrite it. To keep the promise, browsers block active mixed content and downgrade the lock icon when passive mixed content is present.

How do I fix mixed content on my site?

Change every HTTP resource URL to HTTPS, use protocol relative or absolute HTTPS links, and update hardcoded links in templates and the database. Adding the upgrade-insecure-requests directive to your Content Security Policy tells browsers to rewrite remaining HTTP requests to HTTPS automatically.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live page, inspects the resources it references, and reports any that load over HTTP in seconds. No account or signup is required.

Related tools

Security Headers CheckerMixed Content guideHSTS Checker

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan