Mixed Content Checker
Find insecure HTTP resources on HTTPS pages that trigger browser warnings and compromise security.
What This Tool Checks
Comprehensive detection of insecure resources on HTTPS pages.
Active Mixed Content
Detects scripts, stylesheets, iframes, and other executable resources loaded over HTTP that browsers actively block.
Passive Mixed Content
Finds images, audio, video, and other display resources loaded insecurely that trigger browser warnings.
CSS URL Detection
Scans inline styles and style tags for url() references pointing to insecure HTTP resources.
Security Classification
Classifies each resource as active or passive mixed content so you can prioritize critical fixes first.
How It Works
Three simple steps to find mixed content on any page.
Enter URL
Type the HTTPS URL of the page you want to scan. We will automatically normalize it to HTTPS if needed.
Scan Resources
We fetch the page and parse every HTML element looking for images, scripts, stylesheets, iframes, and CSS url() references loaded over HTTP.
Review Results
See a clear breakdown of active vs passive mixed content with the exact tag and URL for each insecure resource.
Related Tools
Other security and analysis tools you might find useful.
Frequently Asked Questions
Common questions about mixed content and how to fix it.
Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets) over insecure HTTP. This undermines the security of the HTTPS connection because an attacker could intercept or modify the HTTP resources via a man-in-the-middle attack.
Active mixed content includes resources that can interact with the page — scripts, stylesheets, iframes, and objects. Browsers block these entirely because they could be exploited to steal data or modify the page. Passive mixed content includes images, audio, and video — browsers may still load these but show a warning icon in the address bar.
The simplest fix is to change all HTTP URLs to HTTPS. If the resource server supports HTTPS, just update the URL. You can also use protocol-relative URLs (//example.com/file.js) or set a Content-Security-Policy header with upgrade-insecure-requests to automatically upgrade HTTP requests to HTTPS.
While mixed content itself is not a direct ranking factor, it can trigger browser security warnings that increase bounce rates. Google has also indicated that HTTPS is a ranking signal, and mixed content undermines the security benefits of HTTPS. Fixing mixed content ensures your site is fully secure and trustworthy.