Mixed Content (HTTP resources on HTTPS page)
The HTTPS page loads resources (scripts, images, stylesheets) over HTTP, breaking the integrity of HTTPS.
What is Mixed Content (HTTP resources on HTTPS page)?
Mixed content occurs when an HTTPS page references HTTP resources. Modern browsers block active mixed content (scripts, stylesheets, iframes) automatically, breaking page functionality. Passive mixed content (images, audio) is allowed but triggers warnings. Mixed content can also be tampered with by a network attacker.
Why It Matters to Your Business
Mixed content breaks page functionality (blocked scripts), triggers browser security warnings that scare visitors, and creates a security gap where parts of your page can be tampered with. Search engines penalize sites with mixed content.
How to Fix It
Update all resource URLs to use HTTPS: 1. Find all HTTP URLs in your HTML: grep -r 'http://' /var/www/html/ 2. Replace with https:// or protocol-relative URLs (//): OLD: <script src="http://cdn.example.com/lib.js"></script> NEW: <script src="https://cdn.example.com/lib.js"></script> 3. Use relative URLs where possible: OLD: <img src="http://yoursite.com/img/logo.png"> NEW: <img src="/img/logo.png"> 4. Add CSP upgrade-insecure-requests directive: Content-Security-Policy: upgrade-insecure-requests 5. Update your database if URLs are stored there: UPDATE posts SET content = REPLACE(content, 'http://', 'https://');
Technical Classification
| OWASP Category | A02:2021 — Cryptographic Failures |
| CWE ID | CWE-319: Cleartext Transmission of Sensitive Information |
| Detected By | mixed_content scanner(s) |
| Severity Level | medium |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our mixed_content scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.