CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Mixed Content (HTTP on HTTPS)

security CWE-319 Intermediate

Also Known As

mixed content warning http on https insecure content mixed content error passive mixed content active mixed content

TL;DR

When an HTTPS page loads resources (images, scripts, stylesheets) over HTTP — browsers block active mixed content and warn on passive, undermining the security of the HTTPS connection.

Explanation

Mixed content occurs when a page served over HTTPS loads sub-resources over HTTP. There are two types with different browser treatment: active mixed content (scripts, stylesheets, iframes, XMLHttpRequest) is blocked by all modern browsers since 2020 — the resource simply doesn't load; passive mixed content (images, audio, video) triggers a security warning and Chrome attempts to auto-upgrade to HTTPS. Mixed content undermines HTTPS because an attacker on the network can intercept and modify the HTTP resource, injecting malicious content into an otherwise secure page. The most insidious source is CMS databases — content editors add images with http:// URLs before HTTPS migration, and those URLs persist in the database long after the site moves to HTTPS. A find-and-replace in the database is required, not just template changes. Chrome DevTools Security tab shows exactly which URLs caused mixed content.

Common Misconception

Mixed content only affects pages with login forms or payment — any HTTP resource on an HTTPS page is a vector for content injection; an attacker can modify an HTTP image response to serve a script tag that executes on your secure page.

Why It Matters

Active mixed content (a single HTTP script tag on an HTTPS page) is completely blocked in Chrome and Firefox, silently breaking page functionality — developers often don't discover this until users report the page being broken after HTTPS migration.

Common Mistakes

  • Fixing HTML templates but not database content — CMS-stored image URLs with http:// persist after HTTPS migration and cause mixed content on every page load.
  • Hard-coded http:// URLs in CSS (background-image, @font-face src) — easy to miss during migration.
  • Third-party embed code using http:// for their own scripts — must contact provider or find HTTPS version.
  • Not testing after HTTPS migration — mixed content only appears after the switch; dev environments often don't enforce it.

Avoid When

  • Do not rely on CSP upgrade-insecure-requests as a permanent fix — it does not upgrade active mixed content in all cases and is not a substitute for fixing URLs at source.

When To Use

  • Fix mixed content immediately on any HTTPS site — active mixed content is blocked and breaks functionality.
  • Use CSP header 'upgrade-insecure-requests' as a safety net during HTTPS migration to auto-upgrade passive mixed content.

Code Examples

✗ Vulnerable 
<!-- HTTP image on HTTPS page — passive mixed content warning -->
<img src="http://example.com/product.jpg" alt="Product">

<!-- HTTP script on HTTPS page — BLOCKED by browser -->
<script src="http://cdn.example.com/analytics.js"></script>
✓ Fixed 
<!-- Use HTTPS for all resource URLs -->
<img src="https://example.com/product.jpg" alt="Product">
<script src="https://cdn.example.com/analytics.js"></script>

<!-- Protocol-relative URLs as a fallback -->
<img src="//example.com/product.jpg" alt="Product">

<!-- Fix CMS database content -->
<!-- UPDATE posts SET content = REPLACE(content, 'http://', 'https://') WHERE content LIKE '%http://%' -->
Added 6 Apr 2026
Views 15

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Google 3 SEMrush 2 ChatGPT 1 Qwen 1 Ahrefs 1
Also referenced
Content Security Policy (CSP) 26 HTTP Security Headers 25 HTTPS & TLS 19 Dependency & Supply Chain Security 10
How they use it
crawler 8
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Change all http:// resource URLs to https://; run database find-and-replace on CMS content; use Content-Security-Policy: upgrade-insecure-requests as a safety net
📦 Applies To
html web
🔍 Detection Hints
src="http:// or href="http:// on an HTTPS page; Chrome DevTools Security tab shows mixed content
Auto-detectable: ✓ Yes chrome-devtools why-no-padlock mixed-content-checker lighthouse
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-319
✓ schema.org compliant