medium HTTP Headers

Mixed Content (HTTP resources on HTTPS page)

The HTTPS page loads resources (scripts, images, stylesheets) over HTTP, breaking the integrity of HTTPS.

Severity
medium
Time to Fix
1-2 hours
Difficulty
easy
OWASP
A02:2021 — Cryptographic Failures

What is Mixed Content (HTTP resources on HTTPS page)?

Mixed content occurs when an HTTPS page references HTTP resources. Modern browsers block active mixed content (scripts, stylesheets, iframes) automatically, breaking page functionality. Passive mixed content (images, audio) is allowed but triggers warnings. Mixed content can also be tampered with by a network attacker.

Why It Matters to Your Business

Mixed content breaks page functionality (blocked scripts), triggers browser security warnings that scare visitors, and creates a security gap where parts of your page can be tampered with. Search engines penalize sites with mixed content.

How to Fix It

Update all resource URLs to use HTTPS:

1. Find all HTTP URLs in your HTML:
   grep -r 'http://' /var/www/html/

2. Replace with https:// or protocol-relative URLs (//):
   OLD: <script src="http://cdn.example.com/lib.js"></script>
   NEW: <script src="https://cdn.example.com/lib.js"></script>

3. Use relative URLs where possible:
   OLD: <img src="http://yoursite.com/img/logo.png">
   NEW: <img src="/img/logo.png">

4. Add CSP upgrade-insecure-requests directive:
   Content-Security-Policy: upgrade-insecure-requests

5. Update your database if URLs are stored there:
   UPDATE posts SET content = REPLACE(content, 'http://', 'https://');

Technical Classification

OWASP CategoryA02:2021 — Cryptographic Failures
CWE IDCWE-319: Cleartext Transmission of Sensitive Information
Detected Bymixed_content scanner(s)
Severity Levelmedium

How 2MNY Security Can Help

Check if your website has this vulnerability

Our mixed_content scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities